Windows Analysis Report
oEFrY6Xcyl.ps1

Overview

General Information

Sample name: oEFrY6Xcyl.ps1
renamed because original name is a hash value
Original sample name: 225e88d982bb204ca48d3e7e2999e0b651dbf8d51d23840e142e6df7426548b2.ps1
Analysis ID: 1542798
MD5: bcb86f9d27c31bae83ab47c9f970ca98
SHA1: 2828cf58872227589f46595101d6129ced8334ab
SHA256: 225e88d982bb204ca48d3e7e2999e0b651dbf8d51d23840e142e6df7426548b2
Tags: 20-25-126-96CobaltStrikeps1user-JAMESWT_MHT
Infos:

Detection

CobaltStrike, Metasploit
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected MetasploitPayload
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found suspicious powershell code related to unpacking or dynamic code loading
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: oEFrY6Xcyl.ps1 Avira: detected
Found malware configuration
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/cm", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Multi AV Scanner detection for submitted file
Source: oEFrY6Xcyl.ps1 ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.1% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED331184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_000001A6ED331184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED349220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose, 0_2_000001A6ED349220
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED341C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_000001A6ED341C30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 20.25.126.96
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 20.25.126.96 20.25.126.96
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49710 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49793 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49714 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49750 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49808 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49728 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49832 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49820 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49764 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49814 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49826 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49847 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49783 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49801 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49862 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49877 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49897 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49915 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49933 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49950 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49980 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49965 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49995 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50010 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50026 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50045 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50062 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50068 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50071 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50074 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50077 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50080 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50083 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50065 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50086 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50089 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50099 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50114 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50108 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50123 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50111 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50133 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50096 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50139 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50142 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50145 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50105 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50130 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50102 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50093 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50117 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50148 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50126 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50154 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50151 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50136 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50163 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50175 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50169 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50120 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50160 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50172 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50178 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50166 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50184 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50190 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50157 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50202 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50193 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50187 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50199 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50205 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50211 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50221 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50224 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50214 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50218 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50227 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50242 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50236 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50196 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50181 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50233 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50208 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50230 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50239 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50248 -> 20.25.126.96:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50245 -> 20.25.126.96:443
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34717C recv,shutdown,closesocket, 0_2_000001A6ED34717C
Source: powershell.exe, 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:%u/
Source: powershell.exe, 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D4D39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D4B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D4D39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4601032571.000001A6ECC91000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/
Source: powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/?
Source: powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4601032571.000001A6ECC91000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cm
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cm5.126.96/cm
Source: powershell.exe, 00000000.00000002.4601032571.000001A6ECCFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cm;
Source: powershell.exe, 00000000.00000002.4601032571.000001A6ECCFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cm=
Source: powershell.exe, 00000000.00000002.4601032571.000001A6ECCFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cmW
Source: powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cmd
Source: powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cmf
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cmq
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cms
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cmv
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cmw
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/j
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/m
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/ms
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/ms2
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/ngs
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D4B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D4D39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50234 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50221 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50209 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50236 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 50188 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50199 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50215
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50218
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50217
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50219
Source: unknown Network traffic detected: HTTP traffic on port 50174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50210
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50212
Source: unknown Network traffic detected: HTTP traffic on port 50225 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50202 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50211
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50214
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50213
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50227
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50226
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50229
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50228
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 50186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50221
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50220
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50223
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50222
Source: unknown Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50225
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50224
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50238
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50237
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50239
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50230
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50232
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50231
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50234
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50236
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50235
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50198 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50213 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50248
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50241
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50240
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50243
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50242
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50245
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 50224 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50247
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50246
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50152 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50201 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50233 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50204
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50207
Source: unknown Network traffic detected: HTTP traffic on port 50196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50206
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50209
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50208
Source: unknown Network traffic detected: HTTP traffic on port 50245 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50201
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50200
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50203
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50202
Source: unknown Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50174
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50178
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50183
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50185
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50188
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50187
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50189
Source: unknown Network traffic detected: HTTP traffic on port 50205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50190
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 50159 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50192
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50194
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50197
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50196
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50199
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50198
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown Network traffic detected: HTTP traffic on port 50170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50149
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50143
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown Network traffic detected: HTTP traffic on port 50226 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50148
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50147
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50151
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50152
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50155
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50157
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50156
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50159
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50158
Source: unknown Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50160
Source: unknown Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50162
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50161
Source: unknown Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50171
Source: unknown Network traffic detected: HTTP traffic on port 50160 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50172
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50214 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50231 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50248 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50237 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50218 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 50229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50206 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50158 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50238 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: oEFrY6Xcyl.ps1, type: SAMPLE Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: amsi64_2820.amsi.csv, type: OTHER Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Contains functionality to call native functions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34CA74 NtDuplicateObject,NtDuplicateObject,DuplicateHandle, 0_2_000001A6ED34CA74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34C8F4 NtCreateThreadEx,GetCurrentProcess,NtCreateThreadEx,NtCreateThreadEx,CreateThread,CreateRemoteThread, 0_2_000001A6ED34C8F4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34D134 NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,UnmapViewOfFile, 0_2_000001A6ED34D134
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34D1C8 NtAllocateVirtualMemory,GetCurrentProcess,NtAllocateVirtualMemory,NtAllocateVirtualMemory,VirtualAlloc,VirtualAllocEx, 0_2_000001A6ED34D1C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34CC00 NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,MapViewOfFile, 0_2_000001A6ED34CC00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34D4D8 NtQueryVirtualMemory,GetCurrentProcess,NtQueryVirtualMemory,GetCurrentProcess,VirtualQuery, 0_2_000001A6ED34D4D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34D2EC GetCurrentProcess,NtFreeVirtualMemory,VirtualFree, 0_2_000001A6ED34D2EC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34CB7C NtGetContextThread,NtGetContextThread,GetThreadContext, 0_2_000001A6ED34CB7C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34D3B8 NtProtectVirtualMemory,GetCurrentProcess,NtProtectVirtualMemory,NtProtectVirtualMemory,VirtualProtect,VirtualProtectEx, 0_2_000001A6ED34D3B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34CE74 NtOpenThread,NtOpenThread,OpenThread, 0_2_000001A6ED34CE74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34CD6C NtOpenProcess,NtOpenProcess,SetLastError,OpenProcess, 0_2_000001A6ED34CD6C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34D5C4 NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory, 0_2_000001A6ED34D5C4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34D030 NtResumeThread,NtResumeThread,ResumeThread,ResumeThread, 0_2_000001A6ED34D030
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34D0B0 NtSetContextThread,NtSetContextThread,SetThreadContext, 0_2_000001A6ED34D0B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34CF60 NtReadVirtualMemory,NtReadVirtualMemory,ReadProcessMemory, 0_2_000001A6ED34CF60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34C754 NtClose,NtClose,CloseHandle,SetLastError, 0_2_000001A6ED34C754
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34C7E4 NtCreateSection,NtCreateSection,CreateFileMappingA, 0_2_000001A6ED34C7E4
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED341268 CreateProcessWithLogonW,GetLastError, 0_2_000001A6ED341268
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED301264 0_2_000001A6ED301264
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED30AAB0 0_2_000001A6ED30AAB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED305914 0_2_000001A6ED305914
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED301928 0_2_000001A6ED301928
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED2E916C 0_2_000001A6ED2E916C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED332980 0_2_000001A6ED332980
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED2F0334 0_2_000001A6ED2F0334
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED30C397 0_2_000001A6ED30C397
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED30239C 0_2_000001A6ED30239C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED300374 0_2_000001A6ED300374
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED30E600 0_2_000001A6ED30E600
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED2ECE3C 0_2_000001A6ED2ECE3C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED30C680 0_2_000001A6ED30C680
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED2E9680 0_2_000001A6ED2E9680
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED2FF5A8 0_2_000001A6ED2FF5A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED30CFF0 0_2_000001A6ED30CFF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED2F6F38 0_2_000001A6ED2F6F38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED30B7B0 0_2_000001A6ED30B7B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED35F200 0_2_000001A6ED35F200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED33DA3C 0_2_000001A6ED33DA3C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED33A280 0_2_000001A6ED33A280
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED35D280 0_2_000001A6ED35D280
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED3501A8 0_2_000001A6ED3501A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED35DBF0 0_2_000001A6ED35DBF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED347B38 0_2_000001A6ED347B38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED35C3B0 0_2_000001A6ED35C3B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED351E64 0_2_000001A6ED351E64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34867C 0_2_000001A6ED34867C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED35B6B0 0_2_000001A6ED35B6B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED356514 0_2_000001A6ED356514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED352528 0_2_000001A6ED352528
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED339D6C 0_2_000001A6ED339D6C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED340F34 0_2_000001A6ED340F34
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED352F9C 0_2_000001A6ED352F9C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED35CF97 0_2_000001A6ED35CF97
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED350F74 0_2_000001A6ED350F74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD347983D5 0_2_00007FFD347983D5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD347944FB 0_2_00007FFD347944FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD3479A475 0_2_00007FFD3479A475
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD34796CCD 0_2_00007FFD34796CCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD347926F5 0_2_00007FFD347926F5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD3479AEFA 0_2_00007FFD3479AEFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD34792EFA 0_2_00007FFD34792EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD34795EFA 0_2_00007FFD34795EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD34797FF2 0_2_00007FFD34797FF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD34794322 0_2_00007FFD34794322
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD34866B92 0_2_00007FFD34866B92
Yara signature match
Source: oEFrY6Xcyl.ps1, type: SAMPLE Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: amsi64_2820.amsi.csv, type: OTHER Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.evad.winPS1@2/5@0/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED340B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_000001A6ED340B70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED343A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep, 0_2_000001A6ED343A64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u31gyipb.z3t.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: oEFrY6Xcyl.ps1 ReversingLabs: Detection: 65%
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oEFrY6Xcyl.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdatauser.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((test kernel32.dll VirtualAlloc), (test2 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('M
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String('bnlicXZrqsZros8DIyMja64+ydzc3Guq/Gui4PerIiPc8GKb05aBdUsnIyMjeWuq2tzzIyMjIyMjIyMjIyIjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyOmhQ4/4uRgbO
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED360198 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,LoadLibraryExW,GetLastError,LoadLibraryExW, 0_2_000001A6ED360198
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED31776C push 0000006Ah; retf 0_2_000001A6ED317784
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED36916C push 0000006Ah; retf 0_2_000001A6ED369184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD34792E25 pushad ; iretd 0_2_00007FFD34792E91
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD34792E45 pushad ; iretd 0_2_00007FFD34792E91
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD3479A26C push esp; retf 0_2_00007FFD3479A26D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD34795BB8 pushad ; iretd 0_2_00007FFD34795BB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD34860565 push edi; retf 0_2_00007FFD34860566
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED3501A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_000001A6ED3501A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED33FA1C 0_2_000001A6ED33FA1C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED345854 0_2_000001A6ED345854
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5027 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4799 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe API coverage: 2.0 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED345854 0_2_000001A6ED345854
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1056 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED349220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose, 0_2_000001A6ED349220
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED341C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_000001A6ED341C30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602674229.000001A6ECF9B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECF9B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW>
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED3521DC __crtCaptureCurrentContext,IsDebuggerPresent, 0_2_000001A6ED3521DC
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED359744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_000001A6ED359744
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED360198 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,LoadLibraryExW,GetLastError,LoadLibraryExW, 0_2_000001A6ED360198
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED3621C0 GetProcessHeap,DeleteProcThreadAttributeList, 0_2_000001A6ED3621C0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED3624C8 DeleteCriticalSection,SetUnhandledExceptionFilter, 0_2_000001A6ED3624C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED3624D0 RtlCaptureContext,SetUnhandledExceptionFilter, 0_2_000001A6ED3624D0

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR
Contains functionality to execute programs as a different user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34DF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError, 0_2_000001A6ED34DF50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34DEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_000001A6ED34DEC8
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED340920 CreateNamedPipeA, 0_2_000001A6ED340920
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED3622A0 ReadFile,GetLocalTime, 0_2_000001A6ED3622A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34B47C malloc,GetComputerNameExA,GetComputerNameA,GetUserNameA,malloc, 0_2_000001A6ED34B47C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED3621A8 GetVersionExA, 0_2_000001A6ED3621A8

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR
Source: Yara match File source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected MetasploitPayload
Source: Yara match File source: oEFrY6Xcyl.ps1, type: SAMPLE
Source: Yara match File source: amsi64_2820.amsi.csv, type: OTHER
Source: Yara match File source: 00000000.00000002.4602998708.000001A6ED0B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4595950980.000001A6E4B7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED346A78 socket,htons,ioctlsocket,closesocket,bind,listen, 0_2_000001A6ED346A78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED34EE8C socket,closesocket,htons,bind,listen, 0_2_000001A6ED34EE8C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_000001A6ED346670 htonl,htons,socket,closesocket,bind,ioctlsocket, 0_2_000001A6ED346670
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542798 Sample: oEFrY6Xcyl.ps1 Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 14 Found malware configuration 2->14 16 Malicious sample detected (through community Yara rule) 2->16 18 Antivirus / Scanner detection for submitted sample 2->18 20 6 other signatures 2->20 6 powershell.exe 20 2->6         started        process3 dnsIp4 12 20.25.126.96, 443, 49710, 49711 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 6->12 22 Found suspicious powershell code related to unpacking or dynamic code loading 6->22 24 Contains functionality to detect sleep reduction / modifications 6->24 10 conhost.exe 6->10         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
20.25.126.96
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
20.25.126.96 true
    		unknown