Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0vM02qWRT9.ps1

Overview

General Information

Sample name:0vM02qWRT9.ps1
renamed because original name is a hash value
Original sample name:6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps1
Analysis ID:1579860
MD5:2b84852065e28974e4081826ff09ddc1
SHA1:fa70a7f2a36ba300f57b130a31ef1ab66a1397ac
SHA256:6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30
Tags:lockbitlockbit40powershellps1ransomwareuser-TheRavenFile
Infos:

Detection

LockBit ransomware, Metasploit
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found post-exploitation toolkit Empire
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Yara detected MetasploitPayload
AI detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Suspicious PowerShell Parameter Substring
AV process strings found (often used to terminate AV products)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • powershell.exe (PID: 6980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6740 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\0vM02qWRT9.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WerFault.exe (PID: 6084 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 2668 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000006.00000002.2895507384.00000000093B7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
    00000006.00000002.2895507384.00000000093B7000.00000004.00000020.00020000.00000000.sdmpWindows_Ransomware_Lockbit_369e1e94unknownunknown
    • 0x2e9f9:$a1: 66 83 F8 61 72 0C 66 83 F8 66 77 06 66 83 E8 57 EB 14 66 83 F8 30 72 0C 66 83 F8 39 77 06 66 83 E8 30 EB 02
    • 0x2ea40:$a1: 66 83 F8 61 72 0C 66 83 F8 66 77 06 66 83 E8 57 EB 17 66 83 F8 30 72 0C 66 83 F8 39 77 06 66 83 E8 30 EB 05
    • 0x2ec75:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
    00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
      00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpWindows_Hacktool_Mimikatz_355d5d3aDetection for Invoke-Mimikatzunknown
      • 0x14523:$b2: -MemoryAddress $GetCommandLineWAddrTemp
      • 0x1467a:$b2: -MemoryAddress $GetCommandLineWAddrTemp
      • 0x141b5:$b3: -MemoryAddress $GetCommandLineAAddrTemp
      • 0x1430c:$b3: -MemoryAddress $GetCommandLineAAddrTemp
      00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpEmpire_Invoke_GenDetects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1Florian Roth
      • 0x13d48:$s1: $Shellcode1 += 0x48
      • 0x17418:$s2: $PEHandle = [IntPtr]::Zero
      • 0x19d9c:$s2: $PEHandle = [IntPtr]::Zero
      Click to see the 12 entries

      System Summary

      barindex
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\0vM02qWRT9.ps1 , CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\0vM02qWRT9.ps1 , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6980, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\0vM02qWRT9.ps1 , ProcessId: 6740, ProcessName: powershell.exe
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1", ProcessId: 6980, ProcessName: powershell.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1", ProcessId: 6980, ProcessName: powershell.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: 0vM02qWRT9.ps1ReversingLabs: Detection: 28%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.9% probability
      Source: Binary string: System.Configuration.Install.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Data.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbH source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.Management.Infrastructure.pdbu source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb$XTA source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdbA source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Xml.pdb` source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Xml.ni.pdbRSDS# source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Core.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Numerics.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Transactions.ni.pdbRSDSc source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.DirectoryServices.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.SecureBoot.Commands.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERC320.tmp.dmp.10.dr
      Source: Binary string: mscorlib.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.Install.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Numerics.pdbSystem.Configuration.Install.ni.dll source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Xml.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Security.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.DirectoryServices.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Data.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Xml.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.Automation.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Core.pdbp source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2867463561.0000000007322000.00000004.00000020.00020000.00000000.sdmp, WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb@ source: WERC320.tmp.dmp.10.dr
      Source: Binary string: mscorlib.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Security.pdbDZ source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdbRSDSl source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Data.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Core.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Transactions.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Transactions.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Numerics.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Data.pdb, source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: powershell.exe, 00000001.00000002.2497943384.000001390B733000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2535169745.0000013919C7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000001.00000002.2497943384.00000139098C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2831689642.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
      Source: powershell.exe, 00000001.00000002.2497943384.000001390B29E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000001.00000002.2497943384.00000139098C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000006.00000002.2831689642.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBlq
      Source: powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000001.00000002.2497943384.000001390B733000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2535169745.0000013919C7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000001.00000002.2497943384.000001390B29E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: powershell.exe, 00000001.00000002.2497943384.000001390B29E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: 00000006.00000002.2895507384.00000000093B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2902283383.0000000010016000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2854432917.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Source: 00000006.00000002.2895507384.00000000093B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detection for Invoke-Mimikatz Author: unknown
      Source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: 00000006.00000002.2902283383.0000000010016000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: 00000006.00000002.2854432917.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTRMatched rule: Detection for Invoke-Mimikatz Author: unknown
      Source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTRMatched rule: Detects obfuscated PowerShell Code Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 2668
      Source: 00000006.00000002.2895507384.00000000093B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
      Source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
      Source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
      Source: 00000006.00000002.2902283383.0000000010016000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: 00000006.00000002.2854432917.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTRMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
      Source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTRMatched rule: SUSP_Obfuscted_PowerShell_Code date = 2018-12-13, author = Florian Roth, description = Detects obfuscated PowerShell Code, reference = https://twitter.com/silv0123/status/1073072691584880640
      Source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTRMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
      Source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTRMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
      Source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal92.rans.troj.spyw.winPS1@6/14@0/0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6740
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ropct0cy.um1.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: 0vM02qWRT9.ps1ReversingLabs: Detection: 28%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\0vM02qWRT9.ps1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 2668
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\0vM02qWRT9.ps1 Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: System.Configuration.Install.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Data.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbH source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.Management.Infrastructure.pdbu source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb$XTA source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdbA source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Xml.pdb` source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Xml.ni.pdbRSDS# source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Core.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Numerics.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Transactions.ni.pdbRSDSc source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.DirectoryServices.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.SecureBoot.Commands.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERC320.tmp.dmp.10.dr
      Source: Binary string: mscorlib.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.Install.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Numerics.pdbSystem.Configuration.Install.ni.dll source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Xml.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Security.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.DirectoryServices.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Data.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Xml.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.Automation.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Core.pdbp source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2867463561.0000000007322000.00000004.00000020.00020000.00000000.sdmp, WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb@ source: WERC320.tmp.dmp.10.dr
      Source: Binary string: mscorlib.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Security.pdbDZ source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdbRSDSl source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Management.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Data.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Core.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Transactions.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Transactions.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Numerics.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.ni.pdb source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Data.pdb, source: WERC320.tmp.dmp.10.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WERC320.tmp.dmp.10.dr
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE7E1B4B67 push eax; retf 1_2_00007FFE7E1B4B71
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE7E1B00BD pushad ; iretd 1_2_00007FFE7E1B00C1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02DDE764 push ds; iretd 6_2_02DDE783
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02DDE762 push ds; iretd 6_2_02DDE763
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02DD697F pushfd ; iretd 6_2_02DD6983
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02DDDFCD push ebx; iretd 6_2_02DDDFDA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_071B2FA0 push 8BFFFFFFh; retf 6_2_071B2FA6
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_094A9A04 push FFFFFF8Bh; ret 6_2_094A9A0E
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_094A9DB3 push FFFFFF8Bh; ret 6_2_094A9DBD

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4197Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4146Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6391Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3190Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3956Thread sleep time: -6456360425798339s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3504Thread sleep time: -7378697629483816s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: Amcache.hve.10.drBinary or memory string: VMware
      Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
      Source: powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.10.drBinary or memory string: vmci.sys
      Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
      Source: powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.10.drBinary or memory string: VMware20,1
      Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\0vM02qWRT9.ps1 Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
      Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

      Remote Access Functionality

      barindex
      Source: powershell.exe, 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpMemory string: $Shellcode1 += 0x48
      Source: powershell.exe, 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpMemory string: $PEHandle = [IntPtr]::Zero
      Source: Yara matchFile source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6740, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading
      11
      Process Injection
      21
      Virtualization/Sandbox Evasion
      OS Credential Dumping11
      Security Software Discovery
      Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      11
      Process Injection
      LSASS Memory1
      Process Discovery
      Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading
      Security Account Manager21
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
      File and Directory Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579860 Sample: 0vM02qWRT9.ps1 Startdate: 23/12/2024 Architecture: WINDOWS Score: 92 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected MetasploitPayload 2->22 24 3 other signatures 2->24 7 powershell.exe 15 2->7         started        process3 process4 9 powershell.exe 23 7->9         started        12 conhost.exe 7->12         started        signatures5 26 Found post-exploitation toolkit Empire 9->26 28 Loading BitLocker PowerShell Module 9->28 14 WerFault.exe 20 16 9->14         started        16 conhost.exe 9->16         started        process6

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      0vM02qWRT9.ps129%ReversingLabsScript-PowerShell.Trojan.Lockbit
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      199.232.210.172
      truefalse
        high
        fp2e7a.wpc.phicdn.net
        192.229.221.95
        truefalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2497943384.000001390B733000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2535169745.0000013919C7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000001.00000002.2497943384.000001390B29E000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://contoso.com/powershell.exe, 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2497943384.000001390B733000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2535169745.0000013919C7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://contoso.com/Licensepowershell.exe, 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://contoso.com/Iconpowershell.exe, 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://oneget.orgXpowershell.exe, 00000001.00000002.2497943384.000001390B29E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://aka.ms/pscore6lBlqpowershell.exe, 00000006.00000002.2831689642.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://upx.sf.netAmcache.hve.10.drfalse
                                      high
                                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.2497943384.00000139098C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2497943384.00000139098C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2831689642.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2831689642.0000000004DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://oneget.orgpowershell.exe, 00000001.00000002.2497943384.000001390B29E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              No contacted IP infos
                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1579860
                                              Start date and time:2024-12-23 12:33:14 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 6m 35s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:14
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:0vM02qWRT9.ps1
                                              renamed because original name is a hash value
                                              Original Sample Name:6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30.ps1
                                              Detection:MAL
                                              Classification:mal92.rans.troj.spyw.winPS1@6/14@0/0
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 11
                                              • Number of non-executed functions: 21
                                              Cookbook Comments:
                                              • Found application associated with file extension: .ps1
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 20.42.65.92, 172.202.163.200, 20.109.210.53, 20.190.177.82
                                              • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target powershell.exe, PID 6740 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 6980 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                              • VT rate limit hit for: 0vM02qWRT9.ps1
                                              TimeTypeDescription
                                              06:36:09API Interceptor40x Sleep call for process: powershell.exe modified
                                              06:36:43API Interceptor1x Sleep call for process: WerFault.exe modified
                                              No context
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              bg.microsoft.map.fastly.net#U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              fiFdIrd.txt.jsGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              5XXofntDiN.exeGet hashmaliciousLummaCBrowse
                                              • 199.232.210.172
                                              p3a0oZ4U7X.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              fKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 199.232.214.172
                                              #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              Support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 199.232.214.172
                                              #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              Rechnung736258.pdf.lnkGet hashmaliciousLummaCBrowse
                                              • 199.232.214.172
                                              fp2e7a.wpc.phicdn.net30136156071477318040.jsGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                              • 192.229.221.95
                                              6vNMeuQvlu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              • 192.229.221.95
                                              2ZsJ2iP8Q2.exeGet hashmaliciousLummaCBrowse
                                              • 192.229.221.95
                                              BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 192.229.221.95
                                              mgEXk8ip26.exeGet hashmaliciousLummaCBrowse
                                              • 192.229.221.95
                                              r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                              • 192.229.221.95
                                              dnf5RWZv2v.exeGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              crhRJnVd08.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              • 192.229.221.95
                                              xWnpPJbKGK.exeGet hashmaliciousCryptbotBrowse
                                              • 192.229.221.95
                                              No context
                                              No context
                                              No context
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):1.5088689799417847
                                              Encrypted:false
                                              SSDEEP:192:AvAvCie/fl70wI+/LajqnOy0XbjwHYLzuiFtZ24IO8u:iA6j/flItALaj4O9bjDzuiFtY4IO8u
                                              MD5:17A1BEDF7A4BF22ABEB99031934D9802
                                              SHA1:EE672D68B2598CDC511B11107426CA0F9E937E57
                                              SHA-256:6A4C75BEAA0E21117391CBFE7B4823DD025B58654B4D35362A29BD8D60DCE2BF
                                              SHA-512:BBB6B3C60AD87C5958841268245D797B982C32A038B7580F977762A0D0A10A31E95A41491232556BE00FB04696AB1FABF9AA9CEFD0F8A1EED3D2BFCA45DA436F
                                              Malicious:false
                                              Reputation:low
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.2.7.3.7.5.2.8.6.1.8.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.2.7.3.7.7.2.3.9.2.9.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.9.1.0.5.4.a.4.-.f.2.2.1.-.4.6.8.d.-.a.4.1.c.-.7.6.d.4.3.c.2.1.0.8.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.4.7.8.4.9.d.-.6.a.c.8.-.4.6.f.9.-.8.c.d.e.-.a.9.d.5.5.9.3.b.c.3.6.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.5.4.-.0.0.0.1.-.0.0.1.3.-.b.4.1.4.-.1.6.d.d.2.e.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.5.e.e.8.9.b.b.1.e.4.a.0.b.1.c.3.c.7.f.1.e.8.d.0.5.d.0.6.7.7.f.2.b.2.b.5.9.
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Mon Dec 23 11:36:16 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):635801
                                              Entropy (8bit):3.4839150809459607
                                              Encrypted:false
                                              SSDEEP:6144:9ahk7v4w+hjPYo0KyQ0xN04T/JSTghxGu:9Z+hd0KwxBhSTyxGu
                                              MD5:201EF72E513CF71DD7DC729D25E57706
                                              SHA1:504A7BAF854E15E3F222705A6AC0F57CBE4C3983
                                              SHA-256:BE449892D36B5B637E36B88CD88508566FAD0FA572E6B87C79DEC8EE0EFB31C0
                                              SHA-512:6C5A646E9584EB8EDB8B5365C811C6C46EBDE4AAD504BBB26637F5E3CC18F1F54726B61E9FAE20AEC0E01330F77E4BB25215F4901C94606EA0758278234A36CE
                                              Malicious:false
                                              Reputation:low
                                              Preview:MDMP..a..... .......0Kig.........................(..........................T.......8...........T...........Xl..AG...........3...........5..............................................................................eJ.......5......GenuineIntel............T.......T...*Kig.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8390
                                              Entropy (8bit):3.6945960339964934
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ9r6W3S6Y/sSUhgmfTZPypDM89bGSsfuHCm:R6lXJx6L6Y0SUhgmfTZP2GRfuz
                                              MD5:2540A465A6015EF946B80D7531539CF4
                                              SHA1:EEB969E2675D6A935ECA71116D9787721D70B385
                                              SHA-256:6DCED8E5F6B14F1F5A7CC1CB2404256624006AB6C32A613CCB883941D945D97B
                                              SHA-512:EFFB384CD3219AAE82465F01B5D8C977B5D99363D6DA537F21C4B987B1DE211C0FC6F6051D59B516A85505F5BC5E162B22A4F142AD0EDD3FAE9233923EBE33CB
                                              Malicious:false
                                              Reputation:low
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.0.<./.P.i.
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4755
                                              Entropy (8bit):4.449926031134018
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsncJg77aI9UvWpW8VYoYm8M4JQ/m6F7+q8vmm6WX7+Rd:uIjfnaI7q+7VMJQOsKZ6E7+Rd
                                              MD5:7CD5A46FB22FAAB0B9D06BE67AE749EC
                                              SHA1:75A104FEE541310F67C0AC1FF3F1325EF575BCE8
                                              SHA-256:EE0974093D2B10C0817E56BDBB9D23A25138622480E515DE2DE680BB1ED2CEAF
                                              SHA-512:0BE102629853A600B0875E96EE1560B77DDBF603D15126D8E9B55C77CF383FE6D58AC6145A606A8A832F8E4A96AB1AB83084A545AF6A6BC25E07178D847F1100
                                              Malicious:false
                                              Reputation:low
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643838" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:NlllulZ8r/z:NllUC
                                              MD5:2D9D2DB1CE8696C052A9E0D240AE3269
                                              SHA1:CAD1EFCFE919FDE2F7835CF7B6F7892BC572C131
                                              SHA-256:318C244E48C43C42CC81C2BB1DDDED6379D2342FBA1239CA3EF2745A68CABE4C
                                              SHA-512:38D28E565E1AAE3572A13CE665570DA515FEFC648C54D572F3EE5FBCE0E788374E43EA48F5BDB38DB03121E3E12A5F9A889E0CBE3A8070AC857B7576D50E59AF
                                              Malicious:false
                                              Reputation:low
                                              Preview:@...e................................................@..........
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:modified
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6221
                                              Entropy (8bit):3.716278477544489
                                              Encrypted:false
                                              SSDEEP:96:+nTCUpNZ/VlYkvhkvCCtczreglhHXzreklhHo:+nfpNRVmcz/7zPs
                                              MD5:77B91837421C0F3ADA62E9C0E80DE1C2
                                              SHA1:5CC660AF6D0BAB93F7BCDBC55263EBEBAA64ADD3
                                              SHA-256:14F8FD3C30A3342C1945095648FF28496A33D74410E834A218E94180FF296BA3
                                              SHA-512:897E531453D349CFA4F2982E12C8132B261721DBCBD2F16C16A405D055EA72B11E199C7E40525683F71691384769D6F6009448F3E96E1D2D822135FAC2812567
                                              Malicious:false
                                              Preview:...................................FL..................F.".. ...]...z....)...U..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z........U...W...U......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V.YF\..........................B...A.p.p.D.a.t.a...B.V.1......YL\..Roaming.@......EW.V.YL\..........................Q...R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.V.YF\..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.Y..Windows.@......EW.V.YF\...........................O<.W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.V.YF\....................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.V.YF\....................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.V.Yq\................
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6221
                                              Entropy (8bit):3.716278477544489
                                              Encrypted:false
                                              SSDEEP:96:+nTCUpNZ/VlYkvhkvCCtczreglhHXzreklhHo:+nfpNRVmcz/7zPs
                                              MD5:77B91837421C0F3ADA62E9C0E80DE1C2
                                              SHA1:5CC660AF6D0BAB93F7BCDBC55263EBEBAA64ADD3
                                              SHA-256:14F8FD3C30A3342C1945095648FF28496A33D74410E834A218E94180FF296BA3
                                              SHA-512:897E531453D349CFA4F2982E12C8132B261721DBCBD2F16C16A405D055EA72B11E199C7E40525683F71691384769D6F6009448F3E96E1D2D822135FAC2812567
                                              Malicious:false
                                              Preview:...................................FL..................F.".. ...]...z....)...U..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z........U...W...U......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V.YF\..........................B...A.p.p.D.a.t.a...B.V.1......YL\..Roaming.@......EW.V.YL\..........................Q...R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.V.YF\..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.Y..Windows.@......EW.V.YF\...........................O<.W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.V.YF\....................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.V.YF\....................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.V.Yq\................
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:MS Windows registry file, NT/2000 or above
                                              Category:dropped
                                              Size (bytes):1835008
                                              Entropy (8bit):4.298712723912436
                                              Encrypted:false
                                              SSDEEP:6144:xECqOEmWfd+WQFpy/9026ZTyaRsCDusBqD5dooi8l+SD6VJSR1d:GCyL6seqD5STSWVAR7
                                              MD5:6F50E2E12711399AC86942F803582513
                                              SHA1:88323C3213EF053693CF75A88F44850439B4AF38
                                              SHA-256:37F03FB1021407D8D94508B8CF92156893E9D9DFC14E54D90DA2609311B22623
                                              SHA-512:0E6CD9F29D77022096AE132730F100DF3A92C614DD59A2585303457C17186330939A6F1ECD64D4922244D06F55E0B6BA54A11240C8E4ED945B171AB1AEF47529
                                              Malicious:false
                                              Preview:regfE...E....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR....U..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              File type:ASCII text, with very long lines (65312), with CRLF, LF line terminators
                                              Entropy (8bit):3.4739820909499026
                                              TrID:
                                                File name:0vM02qWRT9.ps1
                                                File size:604'879 bytes
                                                MD5:2b84852065e28974e4081826ff09ddc1
                                                SHA1:fa70a7f2a36ba300f57b130a31ef1ab66a1397ac
                                                SHA256:6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30
                                                SHA512:63f44bc545a7b7da355903f99dcbfd0033756f41717bc9b210bdc2094f97c2efa68dee814d03e392d94e579ae170e16ef447f86b07363b1fedffa7c7d3b54ce1
                                                SSDEEP:1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJw:cR
                                                TLSH:CBD41AF063A099E3B6D94997A265185D3B2A103FBDC635D84083FBDD2C7B6C08A19CD7
                                                File Content Preview:for ($i = 0; $i -lt $args.count; $i++ ){$argument += $args[$i] + ' '} . $psFile=$PSCommandPath.$global:ProgressPreference = "SilentlyContinue"....# -- thread variables..$script:threadBody = '$data=$threadData;'..$data = @(..@(62416317159553766,61715855556
                                                Icon Hash:3270d6baae77db44
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Dec 23, 2024 12:34:44.566261053 CET1.1.1.1192.168.2.110xb97bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                Dec 23, 2024 12:34:44.566261053 CET1.1.1.1192.168.2.110xb97bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                Dec 23, 2024 12:34:47.519851923 CET1.1.1.1192.168.2.110xa264No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                Dec 23, 2024 12:34:47.519851923 CET1.1.1.1192.168.2.110xa264No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                Dec 23, 2024 12:34:51.995034933 CET1.1.1.1192.168.2.110x9e81No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                Dec 23, 2024 12:34:51.995034933 CET1.1.1.1192.168.2.110x9e81No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:1
                                                Start time:06:35:31
                                                Start date:23/12/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1"
                                                Imagebase:0x7ff6eb350000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:4
                                                Start time:06:35:32
                                                Start date:23/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff68cce0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:6
                                                Start time:06:36:10
                                                Start date:23/12/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\0vM02qWRT9.ps1
                                                Imagebase:0xc00000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000006.00000002.2895507384.00000000093B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000006.00000002.2895507384.00000000093B7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Hacktool_Mimikatz_355d5d3a, Description: Detection for Invoke-Mimikatz, Source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Empire_Invoke_Gen, Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                • Rule: Empire_PowerShell_Framework_Gen5, Description: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000006.00000002.2854432917.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000006.00000002.2902283383.0000000010016000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000006.00000002.2902283383.0000000010016000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000006.00000002.2854432917.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000006.00000002.2854432917.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000006.00000002.2854432917.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                Target ID:7
                                                Start time:06:36:10
                                                Start date:23/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff68cce0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:10
                                                Start time:06:36:15
                                                Start date:23/12/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 2668
                                                Imagebase:0x280000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Reset < >
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2564099914.00007FFE7E1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_7ffe7e1b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f618e0f7acb896b7a910d1980bd356b8e597761af119790937c9b08acbe72f0c
                                                  • Instruction ID: 274434a37408bf7fd1751afb6a11f10820078dce836088e30557adb3a3410728
                                                  • Opcode Fuzzy Hash: f618e0f7acb896b7a910d1980bd356b8e597761af119790937c9b08acbe72f0c
                                                  • Instruction Fuzzy Hash: DD01A77111CB0C4FDB44EF0CE051AAAB3E0FB95360F10052EE58AC3665D636E881CB41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$4'lq$4'lq$$lq$$lq$$lq
                                                  • API String ID: 0-4231640346
                                                  • Opcode ID: 5618b132a148669c48598f15fe529e5ae42b0f50d40201ab38ce8333594f4f26
                                                  • Instruction ID: e2a79b7f0921f2e084ad18bdc686e9e76ca622bfd95bde0dc8cd80e9e546c523
                                                  • Opcode Fuzzy Hash: 5618b132a148669c48598f15fe529e5ae42b0f50d40201ab38ce8333594f4f26
                                                  • Instruction Fuzzy Hash: 15424EB4B00214DFDB24CB58C941B99B7B2EF89304F25C099D9199B391DB72ED86CF91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2829831734.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2dd0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (Ec$PLc
                                                  • API String ID: 0-2462879022
                                                  • Opcode ID: 216d9ffec81c3895d9eaf48a1f6210eb577500ff28494b81fad0d45ad9c3bf27
                                                  • Instruction ID: 27b1e70b7790f0f9e06bdfd2b7dce3ed9d73572bb8dbe5672f07ce14f2e777d9
                                                  • Opcode Fuzzy Hash: 216d9ffec81c3895d9eaf48a1f6210eb577500ff28494b81fad0d45ad9c3bf27
                                                  • Instruction Fuzzy Hash: 72621B74A00609DFDB15DFA8D484AADFBB2FF48314F258599E805AB365C731ED82CB90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2899128758.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_94a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Ts$Ts
                                                  • API String ID: 0-1852591989
                                                  • Opcode ID: 1ffcb4e28fcf2ca208d656cbf8bca4b341a18e81bc2edd3a9755a6ba65c27d38
                                                  • Instruction ID: 1a13b8371897f8015b46e5bf3a184bf573e8a249e525a17de5ddc67bf523bc84
                                                  • Opcode Fuzzy Hash: 1ffcb4e28fcf2ca208d656cbf8bca4b341a18e81bc2edd3a9755a6ba65c27d38
                                                  • Instruction Fuzzy Hash: 8ED12674A012099FDB14CFA8D584AAEFBB2FF58310F24855AE815AB365D731ED42CB90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51403cf186b87851560276761311b91764cf354856c4d3cdd55246d3f163542e
                                                  • Instruction ID: 707dc6525ac6eb3e3a03ff8d22b3fa60503df01eb8ecc393f1731125b3cbcc8d
                                                  • Opcode Fuzzy Hash: 51403cf186b87851560276761311b91764cf354856c4d3cdd55246d3f163542e
                                                  • Instruction Fuzzy Hash: D15135B53102469FCB359E69C8406ABFBA6FF89211F28C46AD805CB3D0CB35D949C7A1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2829831734.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2dd0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd2c2ff7dc17bcef6a850e0e0ededccc26bae8ecfedc85c1a0b0eb740dd72484
                                                  • Instruction ID: a7d6a657f17db0602e84073ef5bd41f0138f6c9288a5409aeadaddd600f954f5
                                                  • Opcode Fuzzy Hash: cd2c2ff7dc17bcef6a850e0e0ededccc26bae8ecfedc85c1a0b0eb740dd72484
                                                  • Instruction Fuzzy Hash: 5A413874A006058FCB16CF58C598ABEFBB1FF48314B158599D815AB365C732FC51CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b0bc2d63ba24c9b221cf375704ceb8ca218fffe452a02fe804609b1edf10ef9
                                                  • Instruction ID: 60418fc5895e80fc304dacc068f4c6a928c802d3da67d3a75107311b58df1d5a
                                                  • Opcode Fuzzy Hash: 5b0bc2d63ba24c9b221cf375704ceb8ca218fffe452a02fe804609b1edf10ef9
                                                  • Instruction Fuzzy Hash: 102107F56043458FC7268F69C9905A6BFF5FF85710B2D85AAC805C72D1DB34D809CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2829831734.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2dd0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7166e79e5e93ddd792c8706a46b5b829a4f30dd89ed824870a02d1f2a42e76f4
                                                  • Instruction ID: 9ed1b595c88a0934c1e5d7a405b61a72cecd25b8bd61d1d210249b73873f5689
                                                  • Opcode Fuzzy Hash: 7166e79e5e93ddd792c8706a46b5b829a4f30dd89ed824870a02d1f2a42e76f4
                                                  • Instruction Fuzzy Hash: 32212674E002099FCB00DF98D9809AEFBF5FF89310B15819AE909AB352C731ED41CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2829831734.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2dd0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8bb9190cea2a3c5214b531576a2108c5bf19a5b501c45435e1399a4eb639159f
                                                  • Instruction ID: 2fd4b814ee84a85e1ab98d111497b64b62551b1ddc278fd0e0662b427cb79df5
                                                  • Opcode Fuzzy Hash: 8bb9190cea2a3c5214b531576a2108c5bf19a5b501c45435e1399a4eb639159f
                                                  • Instruction Fuzzy Hash: A9212674E0020A9FCB00DF98C8809AEFBB5FF89310B148599E909EB352C735EC41CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2829228430.0000000002C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C7D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c7d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d84a7538a20f5f9c7eeaddda77e6abdc35fa6639d74569cb935051f05e6505c8
                                                  • Instruction ID: 314b155fa8ff8d621d33c20e138f4861539c2d8f23909728cde31aa11739aeb1
                                                  • Opcode Fuzzy Hash: d84a7538a20f5f9c7eeaddda77e6abdc35fa6639d74569cb935051f05e6505c8
                                                  • Instruction Fuzzy Hash: B001B1720093809FE7128B25CD84762BFA8EF53234F09848BE8888F297C3785C45CBB1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2829228430.0000000002C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C7D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c7d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e7e6c7ccb2f3556e1b0aa5757b521199ab93ec22f4edbde5d378a62739de65fe
                                                  • Instruction ID: 8317b30bee113bb928b91289b011ea6ba20d8de675359d86c69fce0a675ed10d
                                                  • Opcode Fuzzy Hash: e7e6c7ccb2f3556e1b0aa5757b521199ab93ec22f4edbde5d378a62739de65fe
                                                  • Instruction Fuzzy Hash: 70012671005304AAE7208B2ACD84B67BF98EF81334F08C42AEC0A4B24AC7789941CAF1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$4'lq$4'lq$4'lq$4'lq$4'lq$4'lq$4'lq$4'lq$84+l$84+l$<,!k$TQqq$TQqq$TQqq$tPlq$tPlq
                                                  • API String ID: 0-2140288992
                                                  • Opcode ID: a734aed2c87e3ef4928a3b928a04c92f1f467ea4acf612046b48fecac46c1ad1
                                                  • Instruction ID: 88eb40437d4a02dd1b198d436439a327704159f9383d37fc283847036f50be02
                                                  • Opcode Fuzzy Hash: a734aed2c87e3ef4928a3b928a04c92f1f467ea4acf612046b48fecac46c1ad1
                                                  • Instruction Fuzzy Hash: 2AE1FC74B0020ADFCB398F68CC506EABBBAAF85710F15846AE805DB2D5DB71DC46C761
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$4'lq$4'lq$4'lq$4'lq$84+l$84+l$Xs $Xs $tPlq$tPlq
                                                  • API String ID: 0-398887313
                                                  • Opcode ID: ca7dbd0d64e81e228f785a05392b7586dca674bf43648a02f3ed61a7cad0e385
                                                  • Instruction ID: 205e99041d2234ba5420a2c61c224577ef0f2bf973dbaf8c82447de73bb5727c
                                                  • Opcode Fuzzy Hash: ca7dbd0d64e81e228f785a05392b7586dca674bf43648a02f3ed61a7cad0e385
                                                  • Instruction Fuzzy Hash: 3B71FCF1B4810A9FDB398F58C4506FAB7B2FB89310F258469E8029B6D4CB71EC41C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$4'lq$4'lq$84+l$84+l$tPlq$tPlq$#l$#l
                                                  • API String ID: 0-2936208630
                                                  • Opcode ID: 6144bb9023c7dc4292cc8ad6b5ac6f324eca7e08bb6e28f74deaaeb916e1c2bc
                                                  • Instruction ID: 90e373aa1c8e29d2004145c4e45b7ff73e1bedfc12d34deb5fa399c693893892
                                                  • Opcode Fuzzy Hash: 6144bb9023c7dc4292cc8ad6b5ac6f324eca7e08bb6e28f74deaaeb916e1c2bc
                                                  • Instruction Fuzzy Hash: 5371D3F5B08109DFDB359B68C4416AAFBA2BB85310F25806DE8459B794CB71DC41C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$4'lq$4'lq$4'lq$4'lq$X?G$X?G
                                                  • API String ID: 0-4004422664
                                                  • Opcode ID: c7f47ae5fbe5dd62b4877edfc6936706a4924e0633613a7df01e7a0db00e058a
                                                  • Instruction ID: e2b645c7c10113a53abda625ea6fbc0e22f2c13abaaaced14676952cff3c3adf
                                                  • Opcode Fuzzy Hash: c7f47ae5fbe5dd62b4877edfc6936706a4924e0633613a7df01e7a0db00e058a
                                                  • Instruction Fuzzy Hash: 63D105B5B0420A9FCB298F79CC506EABBAAEFC5310F14846AD805CB2D5DB31D946C791
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$4'lq$4'lq$#l$#l
                                                  • API String ID: 0-4043487595
                                                  • Opcode ID: bf9b2fd03b9e3d180e16023047eafb73b800ed6d6bebc1d5023fd13e1b13005e
                                                  • Instruction ID: a85ff2729b9d5fb1ba2e75fe987a0be415539cde107a21024f90a3f8f78d42a6
                                                  • Opcode Fuzzy Hash: bf9b2fd03b9e3d180e16023047eafb73b800ed6d6bebc1d5023fd13e1b13005e
                                                  • Instruction Fuzzy Hash: D9F126B170431A9FC7269B68D4406EABBB2EFE6220F18C47BD445CB2D5DB31D846C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$Telq$$lq$$lq$$lq
                                                  • API String ID: 0-414788511
                                                  • Opcode ID: 2e86deca301d5100be032de39dd90aa0c1e66bba1042b4099bea6c56b4aeece2
                                                  • Instruction ID: 3a4304094c51ec81e82c54a3524dd0ac3bb1698ab95c43c687b7dbd4f6ccb817
                                                  • Opcode Fuzzy Hash: 2e86deca301d5100be032de39dd90aa0c1e66bba1042b4099bea6c56b4aeece2
                                                  • Instruction Fuzzy Hash: 0A6147B171420A8FDB368B6D98405AAFBA3AFD5210F14C07FD905CB2D6EB31E855C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `Qlq$`Qlq$`Qlq$`Qlq$`Qlq$dDpq
                                                  • API String ID: 0-271287276
                                                  • Opcode ID: 00bf6cc0f198d19a2c2717595b567940d98de29e1900b2f0bf3656f3373f0897
                                                  • Instruction ID: dba1d669b2ec6f5643a8f0e535eba11faf1d98f563f9a35d7f39e31f01db73a1
                                                  • Opcode Fuzzy Hash: 00bf6cc0f198d19a2c2717595b567940d98de29e1900b2f0bf3656f3373f0897
                                                  • Instruction Fuzzy Hash: F55165B230424A5FC73A9A69A8415B7BBA6DFC1316B18C07BD589CB2D1DB35C805C3A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0& $0& $4'lq$4'lq$tPlq$tPlq
                                                  • API String ID: 0-3730255160
                                                  • Opcode ID: fc2d4c4db4e54e02d4bef2bed8dde37ee4c96ea627f883355279f1b9a0cd3910
                                                  • Instruction ID: 8f92acc4870e7ec732a1cd0f51805a47b478bfd575c329fe059c42f2064c8916
                                                  • Opcode Fuzzy Hash: fc2d4c4db4e54e02d4bef2bed8dde37ee4c96ea627f883355279f1b9a0cd3910
                                                  • Instruction Fuzzy Hash: 585144707042069FDB368B3888547AAFBA2ABC2B10F1980ABD5459F2C9DB71DD44C792
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$84+l$TQqq$TQqq$tPlq
                                                  • API String ID: 0-386064307
                                                  • Opcode ID: a0162a511b6e74d658ac475f4b2b80e3b331147c463e84a8d44b75d38d92b1cc
                                                  • Instruction ID: b86940184692e4202456b4014d9d8e420d3a4a31bf21f49f48212f5c6b80a67d
                                                  • Opcode Fuzzy Hash: a0162a511b6e74d658ac475f4b2b80e3b331147c463e84a8d44b75d38d92b1cc
                                                  • Instruction Fuzzy Hash: 9B51B7B4A00209DFCB3ACF19C944BE5B7FAAF45311F1580AAE805AB2E5C731DD46CB61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (olq$(olq$D1 $D1 $PA;i
                                                  • API String ID: 0-310965556
                                                  • Opcode ID: 0ce69c18059a2a4100e8f40e565392f051ac5d0e6e61c4bd4c1b3028ef6dda96
                                                  • Instruction ID: 55a45e9a064e500fb3d6ef5f38e086c746c75bbfce103be6db0d194cc2c6fa1c
                                                  • Opcode Fuzzy Hash: 0ce69c18059a2a4100e8f40e565392f051ac5d0e6e61c4bd4c1b3028ef6dda96
                                                  • Instruction Fuzzy Hash: 6A8145B17083469FCB268F68C810BEABFA2AF85310F15C0ABE5158B2D1DB32D841C791
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$d%rq$d%rq$d%rq
                                                  • API String ID: 0-2345463326
                                                  • Opcode ID: d14b01cde3db345294ddf9537cf1d90549ac6c8d186b0366f2cb490b447c45db
                                                  • Instruction ID: 72e9b3a60dc6831283af09753fedd4de29e16c30ae77ef4a126858a8cdc83383
                                                  • Opcode Fuzzy Hash: d14b01cde3db345294ddf9537cf1d90549ac6c8d186b0366f2cb490b447c45db
                                                  • Instruction Fuzzy Hash: 8F5107B171020ADFCB3A8F68C4506FAB7A2FF85341F15C86AE8019B2D5EB31E855C791
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $lq$$lq$$lq$#l$#l
                                                  • API String ID: 0-2174553151
                                                  • Opcode ID: 68be0c4b642fb921915d8acd712a227914549e98cfd1e232a2b5945bfa364d95
                                                  • Instruction ID: 28348efc0a652fe0df3408289ead05fa5c27457e46ed1bf1584f309b650c889a
                                                  • Opcode Fuzzy Hash: 68be0c4b642fb921915d8acd712a227914549e98cfd1e232a2b5945bfa364d95
                                                  • Instruction Fuzzy Hash: 7F11E97130029A97EB39593AC800BA7F79AABC5B20F24C02FEC49873D6DB71D841C791
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2899128758.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_94a0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0qs$Dqs$Xqs$lqs
                                                  • API String ID: 0-1324600667
                                                  • Opcode ID: 505eb37e4577ed11ee00f242ebb6ff2fadedf534a318915926a8f17e94b5b47f
                                                  • Instruction ID: ef071d66759ea868861085c1e169e9aab69864ab46e570120c655d2ec7061e12
                                                  • Opcode Fuzzy Hash: 505eb37e4577ed11ee00f242ebb6ff2fadedf534a318915926a8f17e94b5b47f
                                                  • Instruction Fuzzy Hash: DEC12A70B00600CFCB69DF78D594B6E7BF2ABD8304F20856AE54ACB359DB3599028F51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 84+l$84+l$tPlq$tPlq
                                                  • API String ID: 0-2511265860
                                                  • Opcode ID: e932144a6936fb612eff41fa73b250ab9d4ea334e6d2f701a3a7a9a89993cc39
                                                  • Instruction ID: 200161ffa8f1d9497ce113c8f1ea5106a1f52c9e8222c1b24d541b706f6d23ec
                                                  • Opcode Fuzzy Hash: e932144a6936fb612eff41fa73b250ab9d4ea334e6d2f701a3a7a9a89993cc39
                                                  • Instruction Fuzzy Hash: 479146B1B002559FCB259F6988506EBBBA2FF95310F28846ADC05DB281DB31ED49C7A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$84+l$tPlq
                                                  • API String ID: 0-1941544011
                                                  • Opcode ID: 0365a1a7fca354b5d6266ea1f0b655435d794edf12ec5213474b45f0876cdd32
                                                  • Instruction ID: c90ad72b956e42cabce9d5454a551459b7eaf523d938e2ce175ea0fe329fe146
                                                  • Opcode Fuzzy Hash: 0365a1a7fca354b5d6266ea1f0b655435d794edf12ec5213474b45f0876cdd32
                                                  • Instruction Fuzzy Hash: 425160B0A11209DFCB35CF58C484AEBB7B2BB8D710F59819AE8056B2D5D771EC81CB51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2829831734.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2dd0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: <`$<`$<`$<`
                                                  • API String ID: 0-758776151
                                                  • Opcode ID: b7670acfa2bd43b14e8f13bb03efc467e164a3e3485bc850098df935334a5632
                                                  • Instruction ID: 9eb7c230872907feffb6b421a0b73fa34d4eb2ba5dc8d19a9e2c5c250b0f985c
                                                  • Opcode Fuzzy Hash: b7670acfa2bd43b14e8f13bb03efc467e164a3e3485bc850098df935334a5632
                                                  • Instruction Fuzzy Hash: F941BC70708E41CF8358DA298180577B7F2FB863087A6895AE4E7CBB41D621FC46DF96
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 84+l$84+l$tPlq$tPlq
                                                  • API String ID: 0-2511265860
                                                  • Opcode ID: 4d2d924fbbdb001a1276da1f29f624736bae743e431e8c44d203bdc3980ab82c
                                                  • Instruction ID: 3a373c40bd088221d6dca004e69989de467cb04877d14374d1f5b6615d00862c
                                                  • Opcode Fuzzy Hash: 4d2d924fbbdb001a1276da1f29f624736bae743e431e8c44d203bdc3980ab82c
                                                  • Instruction Fuzzy Hash: 3B413BB1A042499FC7328B688840696BFB2EFC6314F25C49BE5459F2D5C771EC05C7E2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XG$XG$XG$|p./
                                                  • API String ID: 0-3904351702
                                                  • Opcode ID: 8a3d7aa5f45fd9774d606c1442b5aa20921905281aa12922df573cb45244a539
                                                  • Instruction ID: f008333b649638fae9c8c124a60e04a38bf4e094b405875c6a3b9279b4ad8148
                                                  • Opcode Fuzzy Hash: 8a3d7aa5f45fd9774d606c1442b5aa20921905281aa12922df573cb45244a539
                                                  • Instruction Fuzzy Hash: BD11B7B1900356CFCB358F6899816E6BBE4EF95310F0541BFD405DB191D7348989CBA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 09;i$4'lq$4'lq$@9;i
                                                  • API String ID: 0-2798890457
                                                  • Opcode ID: d40a822f71f47adba222058aa97c26e00d93b736b6e84361f5dcabf72fe254fb
                                                  • Instruction ID: c7ac00f9c1c545f4e15d89eefa922e0c04f8f8a9d6a1aebaf5b5a2f122bc71d8
                                                  • Opcode Fuzzy Hash: d40a822f71f47adba222058aa97c26e00d93b736b6e84361f5dcabf72fe254fb
                                                  • Instruction Fuzzy Hash: 961155F57093995FC3360B6854156E23FA29B9261072540ABD580CFAE5D6708C45C3F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'lq$4'lq$$lq$$lq
                                                  • API String ID: 0-3653280165
                                                  • Opcode ID: 430336f4651c96f253f6e2577ce34d94692d889e0dea391839729da101ce623f
                                                  • Instruction ID: 633b2868c7fefe4cbc1418c385a9222480f547c8b258c9a7aa87cf707f040892
                                                  • Opcode Fuzzy Hash: 430336f4651c96f253f6e2577ce34d94692d889e0dea391839729da101ce623f
                                                  • Instruction Fuzzy Hash: 3B01D6617093868FD32B1A7C1820156AF739FD765072A40EBC441DF2EBCE548D0AC3A6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2867222667.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_71b0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: o.l$ o.l$L-l$L-l
                                                  • API String ID: 0-1115226664
                                                  • Opcode ID: 5dce1a71b61ceefd13c4b4d831ef4bb8c7d7e0716d6c431dfe6bf3ad335fe4ab
                                                  • Instruction ID: a2ebdbf47f92d5bad4d0ffe5fd16499eb18577b70a565f4c44c3a0f39bac98e5
                                                  • Opcode Fuzzy Hash: 5dce1a71b61ceefd13c4b4d831ef4bb8c7d7e0716d6c431dfe6bf3ad335fe4ab
                                                  • Instruction Fuzzy Hash: 6DF02BB371020E9F8234520D84015E6FA969BD5650B150037EE05EF3F8DF70DC0487D2