Edit tour

Windows Analysis Report
I9xuKI2p2B.ps1

Overview

General Information

Sample name:	I9xuKI2p2B.ps1 renamed because original name is a hash value
Original sample name:	791e46fd261d0ca654c3ee5139b35261184e759c806dfd3922f838abc4517bd6.ps1
Analysis ID:	1528959
MD5:	1490689d19a8ae5f6b6ac5c1915a6cfa
SHA1:	399ed4bd1a70ebd9b02c78e46a7b763dcf815ca0
SHA256:	791e46fd261d0ca654c3ee5139b35261184e759c806dfd3922f838abc4517bd6
Tags:	194-36-90-111ps1user-JAMESWT_MHT
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

AI detected suspicious sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 1548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\I9xuKI2p2B.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
I9xuKI2p2B.ps1	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 1548	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi64_1548.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\I9xuKI2p2B.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\I9xuKI2p2B.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\I9xuKI2p2B.ps1", ProcessId: 1548, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\I9xuKI2p2B.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\I9xuKI2p2B.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\I9xuKI2p2B.ps1", ProcessId: 1548, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE PS1/ExfiltracaoBot CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T14:19:03.268480+0200	2055903	1	Malware Command and Control Activity Detected	192.168.2.6	49717	194.36.90.111	9099	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: I9xuKI2p2B.ps1

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.3% probability

Source:	Binary string: tomation.pdb source: powershell.exe, 00000000.00000002.2409793802.00000227E0E13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2380038112.00000227C6A22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2408511252.00000227E0B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\CLR_v4.0.pdb source: powershell.exe, 00000000.00000002.2409793802.00000227E0EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbu source: powershell.exe, 00000000.00000002.2409793802.00000227E0E13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer328 source: powershell.exe, 00000000.00000002.2380038112.00000227C6A22000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2055903 - Severity 1 - ET MALWARE PS1/ExfiltracaoBot CnC Checkin : 192.168.2.6:49717 -> 194.36.90.111:9099

Source: global traffic

TCP traffic: 192.168.2.6:49717 -> 194.36.90.111:9099

Source: global traffic

HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View

ASN Name: PARTNER-ASIL PARTNER-ASIL

Source: unknown

DNS query: name: ipinfo.io

Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.90.111
Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.90.111
Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.90.111
Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.90.111
Source: unknown	TCP traffic detected without corresponding DNS query: 194.36.90.111
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipinfo.io

Source: powershell.exe, 00000000.00000002.2380626292.00000227C9001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2380626292.00000227C9006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2380626292.00000227C8E90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io
Source: powershell.exe, 00000000.00000002.2380626292.00000227C8C57000.00000004.00000800.00020000.00000000.sdmp, I9xuKI2p2B.ps1	String found in binary or memory: http://ipinfo.io/json
Source: powershell.exe, 00000000.00000002.2405211913.00000227D8AA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2405211913.00000227D8BE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2380626292.00000227C8C57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2380626292.00000227C8A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2380626292.00000227C8C57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2409488682.00000227E0C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co_
Source: powershell.exe, 00000000.00000002.2380626292.00000227C8A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2405211913.00000227D8BE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2405211913.00000227D8BE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2405211913.00000227D8BE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2380626292.00000227C8C57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2380626292.00000227CA03B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2408511252.00000227E0BC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000000.00000002.2380626292.00000227C9006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/missingauth
Source: powershell.exe, 00000000.00000002.2405211913.00000227D8AA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2405211913.00000227D8BE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3479F4F2	0_2_00007FFD3479F4F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3479E746	0_2_00007FFD3479E746
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34792C6C	0_2_00007FFD34792C6C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3479CC64	0_2_00007FFD3479CC64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34797E4D	0_2_00007FFD34797E4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD347916FA	0_2_00007FFD347916FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34799724	0_2_00007FFD34799724
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3479DF45	0_2_00007FFD3479DF45
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD347916BF	0_2_00007FFD347916BF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD347956D8	0_2_00007FFD347956D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD347A0FE5	0_2_00007FFD347A0FE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD347957FA	0_2_00007FFD347957FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34793FFA	0_2_00007FFD34793FFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD347927F2	0_2_00007FFD347927F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34799870	0_2_00007FFD34799870
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD347962FB	0_2_00007FFD347962FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34798AF2	0_2_00007FFD34798AF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34792C25	0_2_00007FFD34792C25

Source: classification engine

Classification label: mal68.evad.winPS1@2/7@1/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\0810

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryymyhwv.4hv.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: I9xuKI2p2B.ps1

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\I9xuKI2p2B.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: tomation.pdb source: powershell.exe, 00000000.00000002.2409793802.00000227E0E13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2380038112.00000227C6A22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2408511252.00000227E0B40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\CLR_v4.0.pdb source: powershell.exe, 00000000.00000002.2409793802.00000227E0EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbu source: powershell.exe, 00000000.00000002.2409793802.00000227E0E13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer328 source: powershell.exe, 00000000.00000002.2380038112.00000227C6A22000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3479AED4 pushad ; ret	0_2_00007FFD3479B081
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3479AF5D pushad ; ret	0_2_00007FFD3479B081
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34791274 push cs; iretd	0_2_00007FFD347912D2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34796BF8 push eax; ret	0_2_00007FFD34796BF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34865529 push edx; iretd	0_2_00007FFD348655DB

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFD3486100D sldt word ptr [eax]

0_2_00007FFD3486100D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4491			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5370			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 800

Thread sleep time: -8301034833169293s >= -30000s

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000000.00000002.2408511252.00000227E0BC9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLL#

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: I9xuKI2p2B.ps1, type: SAMPLE
Source: Yara match	File source: amsi64_1548.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1548, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: powershell.exe, 00000000.00000002.2409793802.00000227E0E5D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2409793802.00000227E0EA5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
I9xuKI2p2B.ps1	16%	ReversingLabs	Script-PowerShell.Trojan.Pantera

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.59.81	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ipinfo.io/json	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/missingauth	powershell.exe, 00000000.00000002.2380626292.00000227C9006000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2405211913.00000227D8AA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2405211913.00000227D8BE3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2380626292.00000227C8C57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.microsoft.co	powershell.exe, 00000000.00000002.2408511252.00000227E0BC9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2380626292.00000227C8C57000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000000.00000002.2380626292.00000227CA03B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ipinfo.io	powershell.exe, 00000000.00000002.2380626292.00000227C9001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2380626292.00000227C9006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2380626292.00000227C8E90000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000000.00000002.2405211913.00000227D8BE3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2405211913.00000227D8AA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2405211913.00000227D8BE3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.2405211913.00000227D8BE3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2405211913.00000227D8BE3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2380626292.00000227C8A31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2380626292.00000227C8A31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co_	powershell.exe, 00000000.00000002.2409488682.00000227E0C60000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2380626292.00000227C8C57000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.36.90.111	unknown	Israel		12400	PARTNER-ASIL	true
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528959
Start date and time:	2024-10-08 14:18:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	I9xuKI2p2B.ps1 renamed because original name is a hash value
Original Sample Name:	791e46fd261d0ca654c3ee5139b35261184e759c806dfd3922f838abc4517bd6.ps1
Detection:	MAL
Classification:	mal68.evad.winPS1@2/7@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 12 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1548 because it is empty
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: I9xuKI2p2B.ps1

Simulations

Behavior and APIs

Time	Type	Description
08:19:01	API Interceptor	46x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.59.81	licarisan_api.exe	Get hash	malicious	Icarus	Browse	ipinfo.io/ip
	build.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	YjcgpfVBcm.bat	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	lePDF.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	6Mpsoq1.php.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	mjOiDa1hrN.bat	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	8ym4cxJPyl.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	GKrKPXOkdF.zsb.dll	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	JuhnladbIs.qao.dll	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	bdsBbxwPyV.ena.dll	Get hash	malicious	Unknown	Browse	ipinfo.io/json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	http://pub-f3922f20d4c74ba1869fd3db906e3295.r2.dev/gsecondcheck.html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	http://pan4477.onrender.com/	Get hash	malicious	Unknown	Browse	34.117.59.81
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	34.117.59.81
	build.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	d1bc91bd44a0.exe	Get hash	malicious	PrivateLoader, Stealc, Vidar	Browse	34.117.59.81
	setup.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	34.117.59.81
	sqlite.dll	Get hash	malicious	Unknown	Browse	34.117.59.81
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	66fb252fe232b_Patksl.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	34.117.59.81

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PARTNER-ASIL	xd.arm7.elf	Get hash	malicious	Mirai	Browse	94.159.171.145
	novo.x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	176.229.203.52
	jade.arm6.elf	Get hash	malicious	Mirai	Browse	31.154.35.223
	jade.arm7.elf	Get hash	malicious	Mirai	Browse	31.154.35.237
	Tsunami.arm.elf	Get hash	malicious	Mirai	Browse	31.154.35.226
	https://globus-relocation.co.il	Get hash	malicious	Unknown	Browse	5.100.251.69
	SecuriteInfo.com.Linux.Siggen.9999.6222.10653.elf	Get hash	malicious	Mirai	Browse	2.55.32.44
	firmware.i586.elf	Get hash	malicious	Unknown	Browse	176.231.161.27
	KKveTTgaAAsecNNaaaa.arm.elf	Get hash	malicious	Unknown	Browse	2.52.41.3
	hoho.arm7.elf	Get hash	malicious	Mirai	Browse	2.53.55.76
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	na.elf	Get hash	malicious	Mirai	Browse	34.116.12.112
	na.elf	Get hash	malicious	Mirai	Browse	34.64.41.170
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.540534109342368
Encrypted:	false
SSDEEP:	3:KON+E2J5BBraan:KON7233ean
MD5:	3B072F76FD6C2327CA4BDB410AD77215
SHA1:	CE8E4DC554050BDF2FFF3BEC629D8CCD7DC6EFDF
SHA-256:	7123EFC9E675C7A4A10E70E7112C628117170EFD028BF42FA5814EA86ED1553F
SHA-512:	75EE1BADAB3EBCA078EEB8C680795386B5F97A47706234493F1AF7B792B593CF847D266511B7A1B6B4DA099A675D8011C947C736A8B9F6DE3F2A10A452602259
Malicious:	false
Reputation:	low
Preview:	.C:\Users\user\AppData\Local\ddtMa5eUJ..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11608
Entropy (8bit):	4.890472898059848
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
MD5:	8A4B02D8A977CB929C05D4BC2942C5A9
SHA1:	F9A6426CAF2E8C64202E86B07F1A461056626BEA
SHA-256:	624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
SHA-512:	38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulnmWllZ:NllUmWl
MD5:	3EBBEC2F920D055DAC842B4FF84448FA
SHA1:	52D2AD86C481FAED6187FC7E6655C5BD646CA663
SHA-256:	32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
SHA-512:	163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okk40yyr.f5b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryymyhwv.4hv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7294262512484875
Encrypted:	false
SSDEEP:	48:VeDjlOWtf93CyrU2UcSukvhkvklCywYJ+VQPJlHJWSogZowp+VQPJlwWSogZok1:4B93C/TekvhkvCCtRVQPJDHuVQPJMHL
MD5:	CD2428FADFB6A4BBDEDB246E8F328E7D
SHA1:	0A7DBC7E0AD1334EFC82E351BFDC292E8B9C1A88
SHA-256:	5010112C489CF445F9420FD330E00AFC9F34298E037BB4F7CC4B896D26A465B1
SHA-512:	F779A634D94936658464863626E44821BD84D6D0956322584093A19C937C79067E7AEF7E22A942D3B5A8F20F99F49081543CEC44955C72FFD5F2051595358517
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S....i.@\|...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...q)7<\|.....@\|.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2HY\b...........................^.A.p.p.D.a.t.a...B.V.1.....HYZb..Roaming.@......EW<2HYZb..../.......................O.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2HYXb....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2HYXb....2......................G..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2HYXb....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2HYXb....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2HY`b....u...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\95ILA4DXL0ANFMURWXS7.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7294262512484875
Encrypted:	false
SSDEEP:	48:VeDjlOWtf93CyrU2UcSukvhkvklCywYJ+VQPJlHJWSogZowp+VQPJlwWSogZok1:4B93C/TekvhkvCCtRVQPJDHuVQPJMHL
MD5:	CD2428FADFB6A4BBDEDB246E8F328E7D
SHA1:	0A7DBC7E0AD1334EFC82E351BFDC292E8B9C1A88
SHA-256:	5010112C489CF445F9420FD330E00AFC9F34298E037BB4F7CC4B896D26A465B1
SHA-512:	F779A634D94936658464863626E44821BD84D6D0956322584093A19C937C79067E7AEF7E22A942D3B5A8F20F99F49081543CEC44955C72FFD5F2051595358517
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S....i.@\|...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...q)7<\|.....@\|.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2HY\b...........................^.A.p.p.D.a.t.a...B.V.1.....HYZb..Roaming.@......EW<2HYZb..../.......................O.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2HYXb....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2HYXb....2......................G..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2HYXb....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2HYXb....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2HY`b....u...........

Static File Info

General

File type:	ISO-8859 text
Entropy (8bit):	5.320072013280296
TrID:
File name:	I9xuKI2p2B.ps1
File size:	10'840 bytes
MD5:	1490689d19a8ae5f6b6ac5c1915a6cfa
SHA1:	399ed4bd1a70ebd9b02c78e46a7b763dcf815ca0
SHA256:	791e46fd261d0ca654c3ee5139b35261184e759c806dfd3922f838abc4517bd6
SHA512:	0ecc50552d5e1a9f7f65cdee101a71385d2cd549c7496cc0075f2653ed7296801fd417b907c2759308ebe65ba357e023d41076f6393cf47ade8a153738c8c390
SSDEEP:	192:/XkW0ZtiWgVYUeYwAjStSN8yOwT7cuipH6wfrig/caovsanum915bbHTBOAwJby0:/0W0ZtiWgVBLipH6Mrig/wv7/15REa2
TLSH:	5722C64C77D2E5A6028762BAD8DD8405FA688167002DDD86FBDED5C07FA4278C7F06E2
File Content Preview:	function r7X6wRCFTc {. param (. [int]$Zj1Z4ziujJ = $args[0]. ).. # C.digo ASCII para letras (A-Z, a-z) e n.meros (0-9). $APSpFzN1rI = (65..90) + (97..122) + (48..57).. $LA2cNwV1f8 = foreach ($dUMDjBbejd in (1..$Zj1Z4ziujJ)) {.

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T14:19:03.268480+0200	2055903	ET MALWARE PS1/ExfiltracaoBot CnC Checkin	1	192.168.2.6	49717	194.36.90.111	9099	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 14:19:02.680214882 CEST	49716	80	192.168.2.6	34.117.59.81
Oct 8, 2024 14:19:02.685440063 CEST	80	49716	34.117.59.81	192.168.2.6
Oct 8, 2024 14:19:02.685537100 CEST	49716	80	192.168.2.6	34.117.59.81
Oct 8, 2024 14:19:02.685735941 CEST	49716	80	192.168.2.6	34.117.59.81
Oct 8, 2024 14:19:02.690999985 CEST	80	49716	34.117.59.81	192.168.2.6
Oct 8, 2024 14:19:03.181591034 CEST	80	49716	34.117.59.81	192.168.2.6
Oct 8, 2024 14:19:03.227332115 CEST	49716	80	192.168.2.6	34.117.59.81
Oct 8, 2024 14:19:03.244688034 CEST	49717	9099	192.168.2.6	194.36.90.111
Oct 8, 2024 14:19:03.250454903 CEST	9099	49717	194.36.90.111	192.168.2.6
Oct 8, 2024 14:19:03.250518084 CEST	49717	9099	192.168.2.6	194.36.90.111
Oct 8, 2024 14:19:03.268480062 CEST	49717	9099	192.168.2.6	194.36.90.111
Oct 8, 2024 14:19:03.273372889 CEST	9099	49717	194.36.90.111	192.168.2.6
Oct 8, 2024 14:19:24.608227968 CEST	9099	49717	194.36.90.111	192.168.2.6
Oct 8, 2024 14:19:24.608298063 CEST	49717	9099	192.168.2.6	194.36.90.111
Oct 8, 2024 14:19:24.611916065 CEST	49717	9099	192.168.2.6	194.36.90.111
Oct 8, 2024 14:19:24.617027044 CEST	9099	49717	194.36.90.111	192.168.2.6
Oct 8, 2024 14:19:24.788604975 CEST	49716	80	192.168.2.6	34.117.59.81

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 14:19:02.666667938 CEST	63651	53	192.168.2.6	1.1.1.1
Oct 8, 2024 14:19:02.676533937 CEST	53	63651	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 14:19:02.666667938 CEST	192.168.2.6	1.1.1.1	0xf051	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 14:19:02.676533937 CEST	1.1.1.1	192.168.2.6	0xf051	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49716	34.117.59.81	80	1548	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 14:19:02.685735941 CEST	63	OUT	GET /json HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
Oct 8, 2024 14:19:03.181591034 CEST	588	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 319 content-type: application/json; charset=utf-8 date: Tue, 08 Oct 2024 12:19:03 GMT x-content-type-options: nosniff via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 72 65 61 64 6d 65 22 3a 20 22 68 74 74 70 73 3a 2f 2f 69 70 69 6e 66 6f 2e 69 6f 2f 6d 69 73 73 69 6e 67 61 75 74 68 22 0a 7d Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "America/New_York", "readme": "https://ipinfo.io/missingauth"}

Target ID:	0
Start time:	08:18:58
Start date:	08/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\I9xuKI2p2B.ps1"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:18:59
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD3479E746 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e86f299955e8f757d4b579bae3abd6763449eb2044d19d8e4c12412ea68652e
Instruction ID: 57590c69c3bb9356e3c71641f6a606849e06721a96bf645a294692fd181b15fd
Opcode Fuzzy Hash: 8e86f299955e8f757d4b579bae3abd6763449eb2044d19d8e4c12412ea68652e
Instruction Fuzzy Hash: D4F19670618A8D8FEBA8DF28C855BF977D1FF55310F14426EE84DC7291CB38A9458B82

Function 00007FFD3479F4F2 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8328eba0c1982d631388d23706547b200aea9e1fda7b38d064ff6c391306278a
Instruction ID: faf173e4191f40760d231a89712bd50ca6d5528442b44b7114437700e9edc931
Opcode Fuzzy Hash: 8328eba0c1982d631388d23706547b200aea9e1fda7b38d064ff6c391306278a
Instruction Fuzzy Hash: C2E1A670608A8E8FEBA8DF28C8657E977E1FF55310F14426ED84DC7291CE78A9458BC1

Function 00007FFD34A24419 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2415421546.00007FFD34A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3942764eb1763823aa1504808b3cce24ae85a0a52499baa9be2017c9b042ec
Instruction ID: 8170bb031c59ddde9557117038c070f7b9ea3c76c864fc528e58d801ccf366e1
Opcode Fuzzy Hash: 0f3942764eb1763823aa1504808b3cce24ae85a0a52499baa9be2017c9b042ec
Instruction Fuzzy Hash: A2B1F422B0EA8A0FE7A5972848B51B87BD1EF56258F2801BFD14DC71D3DE2CAC45A741

Function 00007FFD3479F106 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d12b0535481195014725014ea2057d7ead732cbab2bffac7303a704743f4c9
Instruction ID: d68fbd2bbed7b7b0fb9bde96daaeb80304e2ba24e2d6eacfc3254ed021d2a4cf
Opcode Fuzzy Hash: 46d12b0535481195014725014ea2057d7ead732cbab2bffac7303a704743f4c9
Instruction Fuzzy Hash: 46B1B67060CA8D8FDB68DF28D8557E93BE1FF55310F14426EE84DC7292CA78A945CB82

Function 00007FFD3486950E Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2412596764.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc4095a314895f186342ce3c6d38ea4b3a27f5992260f7da9a190269981dcc9
Instruction ID: d639b56ae02f88e11fdd9b5d5a0ed28e0c94296803efb22adb58fb2fbed4da10
Opcode Fuzzy Hash: 0cc4095a314895f186342ce3c6d38ea4b3a27f5992260f7da9a190269981dcc9
Instruction Fuzzy Hash: 6361E622B0EF860FE7E5976814B52B9A6C2EF96264B8800BED65DC71D3DD0CAC069741

Function 00007FFD34A242C9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2415421546.00007FFD34A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8b9f090004fa76fbadcbc71ebb0e80067b558f9c96021118c683f7f7f8bf22
Instruction ID: ed248dfd3110adfdbf953796b1b6c3e6aefa0d0fafa18fe48a4edb214724a217
Opcode Fuzzy Hash: ad8b9f090004fa76fbadcbc71ebb0e80067b558f9c96021118c683f7f7f8bf22
Instruction Fuzzy Hash: FA415612B4DA890FE7A6D62858B46B5BBE1DF56254B2801FBC04DCB1D3DE0DEC01D381

Function 00007FFD3486955A Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2412596764.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b218aaece540d4de7fc8b9cc29fda30ae5957b8fda6618c4c67f0284c32c7c
Instruction ID: 6a6a83e9b126a32205cff30931811c903f997b0eec7e41bc81d11653e86ff333
Opcode Fuzzy Hash: c4b218aaece540d4de7fc8b9cc29fda30ae5957b8fda6618c4c67f0284c32c7c
Instruction Fuzzy Hash: C141B553F0EF870BE7D5976804F52B8A6C2AF96274B9800BAC75DC71E3DD0DAC066A01

Function 00007FFD34A24A41 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2415421546.00007FFD34A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b50e3b6f478cc5793b1b131162b089b90cf71a427f3a6b0e36896413945706
Instruction ID: d247c79160913cac98c1ac493279e0da21eb9d73e5204335037006614575d55d
Opcode Fuzzy Hash: a8b50e3b6f478cc5793b1b131162b089b90cf71a427f3a6b0e36896413945706
Instruction Fuzzy Hash: 7531B53150CA889FC758DF5CE8456A97BE0FB9A325F04425FE08DC3242CB74A456CB85

Function 00007FFD3479EC04 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d7f6ba40af22d6c96d85976d653aab68ea913c8b889e1846cff4c1dffc92fa
Instruction ID: c1ca78ec69196a7d15faf31a44ec90406ac990415969c585d2295681abfb007b
Opcode Fuzzy Hash: e7d7f6ba40af22d6c96d85976d653aab68ea913c8b889e1846cff4c1dffc92fa
Instruction Fuzzy Hash: 65311B70A2864DCEFBB8AB14CC66BF83291FB4331AF400539D54DC61C2CA387989DB41

Function 00007FFD34A2087E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2415421546.00007FFD34A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2197aa19896633ff98bc5dbd251337152bfb2ed0cc85ae98f1b4c1acc1fcd805
Instruction ID: 1591328da391f1329c50bca7536c9eb2c7c0f7dd81d1cae54add8ebe0dfd6d88
Opcode Fuzzy Hash: 2197aa19896633ff98bc5dbd251337152bfb2ed0cc85ae98f1b4c1acc1fcd805
Instruction Fuzzy Hash: 7E110632B0D7884FEB55EB9840E01A97BE1EF5A354F2400BFC24DD7183DA28AC45E351

Function 00007FFD347950C5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c49016649ce64b9a557ffbf06257afa84b0bf41bb95c163a8b9c18b501113d
Instruction ID: 1de892e83b1fff290f2dc899b083c126641da458b7563ea460e37b710d059abb
Opcode Fuzzy Hash: 03c49016649ce64b9a557ffbf06257afa84b0bf41bb95c163a8b9c18b501113d
Instruction Fuzzy Hash: A401677121CB0C8FD744EF0CE451AA9B7E0FB95364F10056DE58AC3651D636E882CB45

Function 00007FFD34A2432A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2415421546.00007FFD34A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75e5539a088f3024e6a0d220b5d8d0b72f6de292f872a19124df3b5fc3a3814
Instruction ID: be296f526df99bc7b70e17da7977d87cebe4cf702874404104039a4f421d72eb
Opcode Fuzzy Hash: d75e5539a088f3024e6a0d220b5d8d0b72f6de292f872a19124df3b5fc3a3814
Instruction Fuzzy Hash: 4BE0923174DD494FDB95EA2898E18B5B3E0EB2A31131401EBC00ACA197CE29AC85C780

Non-executed Functions

Function 00007FFD34798AF2 Relevance: 7.6, Strings: 6, Instructions: 97COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD34798B22
L_^, xrefs: 00007FFD34798B12
L_^, xrefs: 00007FFD34798B72
L_^, xrefs: 00007FFD34798BC2
L_^, xrefs: 00007FFD34798AF2
L_^, xrefs: 00007FFD34798B62

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^$L_^
API String ID: 0-2894164595
Opcode ID: 762d661323f462d723e960308f86fcd8d8d6d7f502922094f36a42f46c2b4135
Instruction ID: e1c5bda342830f9ba89cffb74f3369450072ae408c7a1dac9693945127a1185f
Opcode Fuzzy Hash: 762d661323f462d723e960308f86fcd8d8d6d7f502922094f36a42f46c2b4135
Instruction Fuzzy Hash: 123174E7E1CAC2ABE266412908BA0D93BC4EF5332871E10B6C7549B193AF5D3C479142

Function 00007FFD347916FA Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

-M_^, xrefs: 00007FFD34791701
,M_^, xrefs: 00007FFD34791801

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: ,M_^$-M_^
API String ID: 0-2095488800
Opcode ID: ce25f7996fd8a70d0f64785940cffed23bcb77dd15d2d8247fc36fcf7b61e6cc
Instruction ID: 7f843de9d0553aeee2d020db220f96d828bc8fbaa82a222d5cf6969a4a7dab4a
Opcode Fuzzy Hash: ce25f7996fd8a70d0f64785940cffed23bcb77dd15d2d8247fc36fcf7b61e6cc
Instruction Fuzzy Hash: 0A4161D7A0DAC79AF662562818F64E93FD5EF1366870901F3C694CA093FD1C3827A242

Function 00007FFD34793FFA Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFD34794080

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 6137d4a90a0b4660a9938941d5a4b8aa3112163cb91afc7d9e3c5e14494c1029
Instruction ID: 3dbd582a5df685d92e6a48429229c03ac9f75c6758df561c2dc058fbed36a273
Opcode Fuzzy Hash: 6137d4a90a0b4660a9938941d5a4b8aa3112163cb91afc7d9e3c5e14494c1029
Instruction Fuzzy Hash: 50D1E671B0CA8A8FEB95DF1CC4A5AE97BE1FF66310F0401BAC549D7152DA28B842C7D1

Function 00007FFD347957FA Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

%N_H, xrefs: 00007FFD347959A0

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: %N_H
API String ID: 0-2307434723
Opcode ID: ff41aabe58a2ea5e9347420e78a8d2bc3f047575f7e2e655b186f38834114ab5
Instruction ID: a92125352907d5d81b4309fa1827f17bff28abff88d82eaaad0fb5424a27b338
Opcode Fuzzy Hash: ff41aabe58a2ea5e9347420e78a8d2bc3f047575f7e2e655b186f38834114ab5
Instruction Fuzzy Hash: 6661D397B0DBA29EE6E2566C18F60F93BD4DF532A570800B7C688C6193EC1D380797D2

Function 00007FFD347916BF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

,M_^, xrefs: 00007FFD34791801

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: ,M_^
API String ID: 0-34794593
Opcode ID: 463c9cd9a765aac8dcc60d3dff88b5eeecfc785e06d1b99bf85e042d1285aa12
Instruction ID: dbfc37e88e3ee0b7ef203a798c3f662357820fa0b5e01623b609aa7427b7a298
Opcode Fuzzy Hash: 463c9cd9a765aac8dcc60d3dff88b5eeecfc785e06d1b99bf85e042d1285aa12
Instruction Fuzzy Hash: 795151D7A0DAC79AF662563818F64E93FD5EF1326870901F6C694CA093FD1C3827A252

Function 00007FFD34799724 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e880f3f1ca1e1b4bae73c46ac044f68a8c8ac8917bbc10736fd1898d26973dd
Instruction ID: f2823ab41e973f27ea6e11f03a23217c41a6af21e9ad7b32bde63ef67353580a
Opcode Fuzzy Hash: 5e880f3f1ca1e1b4bae73c46ac044f68a8c8ac8917bbc10736fd1898d26973dd
Instruction Fuzzy Hash: A1A116A2A0E7C65FE753972858F54E63FA4EF53228B0801FBC198CB193DD1C6856C792

Function 00007FFD3479DF45 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320d37e90f093750716a5f449991663b447e46139e761375acdc9af9451d2daa
Instruction ID: c18e42ffb725285599599ffc9214fd69c977a7ed50d5ed15b4624286ba9ae7ad
Opcode Fuzzy Hash: 320d37e90f093750716a5f449991663b447e46139e761375acdc9af9451d2daa
Instruction Fuzzy Hash: 70A1E731A0C74C8FDB19DBA898566FDBBE1EF56311F0442AFD049D3292CE796846CB81

Function 00007FFD3479CC64 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a77dafc96bdcb029a61a9a769dbfc86760bded33c0b6e1c1830f9ee51b5e24
Instruction ID: 6e754b974ac0e752a25c0a0ea0998403100c6a74d5696f66bb2322dfddefbddb
Opcode Fuzzy Hash: 99a77dafc96bdcb029a61a9a769dbfc86760bded33c0b6e1c1830f9ee51b5e24
Instruction Fuzzy Hash: FB91D871E0CB4C4FDB19DBA898596FDBBE1EB96321F04826FD049D3252CE746846CB81

Function 00007FFD347A0FE5 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac45c8c03707c6485845b8b6f4d9d83a55f521c71a821f1a330e91ac81c6a166
Instruction ID: d23317100a3193f19522a439228117de0b926c66b7e315768b9d8e4f077f39c1
Opcode Fuzzy Hash: ac45c8c03707c6485845b8b6f4d9d83a55f521c71a821f1a330e91ac81c6a166
Instruction Fuzzy Hash: C4A14056A0E7E29FE753A76C68B60E63F60DF4322870904F7C1C4DB093D90D681AD3A6

Function 00007FFD34792C25 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a1cfdb12e7271e6c15f52c0e79c1b684125086329aa193c38f9437103cd15e
Instruction ID: bd762ec3321a55ec2ce4cc825807ded4cd66a8c7b1f78757411977eb3f497def
Opcode Fuzzy Hash: 09a1cfdb12e7271e6c15f52c0e79c1b684125086329aa193c38f9437103cd15e
Instruction Fuzzy Hash: 8781676770D7965FE352A67CA8F70EA3BA4DF4323970D46B3C1C4CA0A3DD1D284A9291

Function 00007FFD34792C6C Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b474b5db5a7f2bee6b1eb371b800aa773b8cbd23d68d561174bc4bb80e7a1f3c
Instruction ID: f27a321b424d076c910f42dfb2121beaee89983b65ae20dffced79b30223ec44
Opcode Fuzzy Hash: b474b5db5a7f2bee6b1eb371b800aa773b8cbd23d68d561174bc4bb80e7a1f3c
Instruction Fuzzy Hash: C8715367B0D7975FE352A67CA8F70EA3BA4DF5323970946B3C1C4C90A3DD0D284A9291

Function 00007FFD347962FB Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6646a2e9ff296d3faf38fb427a5f72bce88dd1793c072c933691ae699c54677e
Instruction ID: 2db3570c7141f943c047b67aede394f934f1b52c2fa184aef7353d388632bba1
Opcode Fuzzy Hash: 6646a2e9ff296d3faf38fb427a5f72bce88dd1793c072c933691ae699c54677e
Instruction Fuzzy Hash: D361BEC7B0D6C29AF272517C18B60F97FA4DF5356570902B7C684C60B3AD0D790BA2E2

Function 00007FFD34797E4D Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b641f563cf9d8d6bdc770449dc2df67de9a77cbd5b000d528bafcdfd4b518c85
Instruction ID: dbb9237248bafbb358a271f8d222edef794b25f331d39ea2c04ddbeebc9a53cb
Opcode Fuzzy Hash: b641f563cf9d8d6bdc770449dc2df67de9a77cbd5b000d528bafcdfd4b518c85
Instruction Fuzzy Hash: 0451A287B0D7D3AAE353567C5CB60E53F90DF4326870800B7C285DB0A3E91D6C5BA2A6

Function 00007FFD347927F2 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43426c3a43161ca7849a553990a6d546bba8370b3b965606db314244e10c1d4
Instruction ID: 85cfb40634af884a70654daace1b73453d0d6a9a4eb6a636c5a9e30135a8af0b
Opcode Fuzzy Hash: c43426c3a43161ca7849a553990a6d546bba8370b3b965606db314244e10c1d4
Instruction Fuzzy Hash: 73518897B0D7D29FF692622C58B64E93FE0EF53234B0904F7C684DB093DD1D284696A2

Function 00007FFD34799870 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04112900d82d7455713abf905fc2251dcae8fa094f25fdd2ffdabe47d6efdd7
Instruction ID: 04d7e12e8ebed5cf51858b5d41945dce0ec5a433559fd0df76da12a6c20711e2
Opcode Fuzzy Hash: c04112900d82d7455713abf905fc2251dcae8fa094f25fdd2ffdabe47d6efdd7
Instruction Fuzzy Hash: 765195D790DBC66FF653562C18F60D93F90AF5322870900FBC698CF193ED0C285A9696

Function 00007FFD347956D8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d32f3b07610de1789415fed362b01b486034989a684def9ad1bacf1ed6e7b3
Instruction ID: 7703173e5e4979b2e77030e9d3691c847fa23cb7112f6f8ed201c29f956f3f57
Opcode Fuzzy Hash: 45d32f3b07610de1789415fed362b01b486034989a684def9ad1bacf1ed6e7b3
Instruction Fuzzy Hash: 8D41C897B0D6E3ABE262916C68F70DA3BD8DF5327870D05B7C6C4CA053ED0D244692D5

Function 00007FFD3486100D Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2412596764.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ae5a0eba57a0efd63ff16d64330c1f2dc35d608fc62aba437cb3eedfad56c2
Instruction ID: dcb76bfbdd605aa1945249e14b54cd949499f6994da8e90678fa94e5e5258500
Opcode Fuzzy Hash: f6ae5a0eba57a0efd63ff16d64330c1f2dc35d608fc62aba437cb3eedfad56c2
Instruction Fuzzy Hash: A421E612E0EBD60FE792A77448B55A07BE19F93220B4901F7D28CCB1E3ED1C58099352

Function 00007FFD34798BF2 Relevance: 6.3, Strings: 5, Instructions: 49COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD34798BF2
L_^, xrefs: 00007FFD34798C12
L_^, xrefs: 00007FFD34798C72
L_^, xrefs: 00007FFD34798C22
L_^, xrefs: 00007FFD34798C62

Memory Dump Source

Source File: 00000000.00000002.2411960437.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^
API String ID: 0-2264858084
Opcode ID: a0fab97f27e2efba5fb95de0daaed0ccfa030c71a1d14116337ffa504c8d0950
Instruction ID: a79df817da74ef8999a60190cd0f9f1b51c94afbe9af20a69ea35d178db8a09b
Opcode Fuzzy Hash: a0fab97f27e2efba5fb95de0daaed0ccfa030c71a1d14116337ffa504c8d0950
Instruction Fuzzy Hash: 4F0112F3A1EAC6AFE357822A58F90587FD4EE1321430A15F6C3948B193EE1C681A9155

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report I9xuKI2p2B.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\0810

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okk40yyr.f5b.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryymyhwv.4hv.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\95ILA4DXL0ANFMURWXS7.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
I9xuKI2p2B.ps1